Taming the 'wild west' of cybersecurity in the supply chain
Executives can combat cyber threats with due diligence.
The following is a guest post from Glenn Gorman, Chief Information Officer at Amber Road.
In today’s fast-paced, high technology world, it sometimes feels like the Wild West when it comes to maintaining a secure global trade technology environment while still providing access to parties all over the world. The flow of goods and services relies on the constant flow of information. But supply chains are by nature complex, evolving operations that are vulnerable to many risks; security being a primary one.
Cybersecurity weighs heavily on the minds of global trade professionals when it comes to business risks in the supply chain. A recent survey of 250 industry professionals revealed their top supply chain concern was cybersecurity, and it is easy to understand why. The average cost to an organization of a data breach, as reported in 2015, was $6.5 million U.S.
Cyber threats grow with connected supply chains
As more supply chain businesses transact over the internet, data rarely stays inside a company’s building anymore. More data is pushed into the cloud and outside of company firewalls and its direct controls, leading to greater concern over hacks and system vulnerabilities.
In fact, there’s a growing number of successful hacks being traced through supply chains. By some estimates, up to 80% of breaches may originate in the supply chain. In 2013, for example, Hackers broke into Target’s Corp.’s payment network by stealing login credentials from a company that provided heating and air conditioning services.
Security is only as strong as the weakest link, and companies put a lot of trust in their partners and providers.
Chief Information Officer, Amber Road
Digital breaches are not limited to brick-and-mortar enterprises, though. A few months ago – in an ironic turn of events – web performance and security provider Cloudfare revealed a software bug had caused sensitive data to spill in plaintext from customers’ websites. Days later, Amazon’s S3 web-based storage service experienced widespread issues, leading to partially or fully broken services on websites, apps and devices that many companies rely on for their business.
While cyberattacks aimed at stealing employee or customer data remain the most talked-about threats, attacks can vary in nature. Nowadays, cyberattacks can include spoofing, phishing, malware, denial of service or even extortion scams. Meanwhile, threats can be borne of simple human error (engaging a phishing e-mail), or emerge from an advanced technological attack.
Many companies thinking about security begin by securing their networks, software and digital assets against cyberattacks or data breaches. And most companies are well-protected with firewalls, strong password protection and proper user education.
However, brute force attacks continue to grow in sophistication and stealth as hackers try to outsmart users and systems.
Combating cybersecurity with knowledge
While it might seem difficult to maintain the right defenses, with the right skills and technology in place, companies can ensure there’s a new sheriff in town who can grapple with these new hacks and threats.
Companies should look at their internal systems, update their procedures and implement functions such as the following:
- Circle the wagons: Effective use of a security framework requires identifying vulnerabilities and threats via risk management strategies that understand the business context, as well as the available resources to support critical functions. Identifying cybersecurity risks is akin to circling the wagons around potentially vulnerable systems, assets, data, and capabilities.
- Put on protective chaps: A potential cybersecurity event requires protection and safeguards of critical infrastructure services. Companies must practice access control, awareness and training, good data security, iron-clad information protection processes and procedures, and ongoing maintenance to ensure full protection.
- Hit pay dirt: Cybersecurity tools must be able to discover any cybersecurity events as they happen without the benefit of a shovel.
- Keep a lookout: Monitor and respond to contain the impact of a potential cybersecurity event, so your supply chain and bottom line don’t suffer. The best lookouts have well-oiled emergency and contingency plans when outlaws crop up, allowing companies to effectively communicate, analyze, and mitigate the damage.
- Play the ace in the hole: Timely recovery is critical to resuming normal operations, reducing the impact from a cybersecurity event on your company. An emergency situation requires laying all your cards on the table to restore any capabilities or services that were impaired due to a cybersecurity event.
Security is only as strong as the weakest link, and companies put a lot of trust in their partners and providers. Due diligence is essential when choosing a provider or partner to work with. Make four key considerations:
- Don’t take things at face value. Do due diligence via questionnaires, conference calls, etc.
- Consider whether a partner’s offices and data centers are physically secure
- Make sure partners implement background checks and training of their staff
- Review all partners’ security controls and request certifications and test reports
Cyberattacks can lead to a myriad of issues, including: disruption of core operations, a damaged brand reputation, financial damages, reduced data privacy and breaking of contractual obligations. It’s time to make some changes that insulate your global operations.
While there are numerous questions to ask and skills or technology to implement, supply chain security is every company's responsibility. Being constantly aware of the wide range of challenges, and creating a strategy to address them is a step in the right direction. But at the very least, managers should ensure their partners have implemented a viable protective layer against intrusion.
As Chief Information Officer of Amber Road, Glenn Gorman is responsible for the company's technological infrastructure, setting technology and security policy, and managing the company's Hosting Operations, Corporate IT and Quality Assurance departments. With over 32 years of IT experience, Glenn has developed a diverse skill set with hands-on expertise in hardware, software, network, security, data center operations and systems engineering.