For too long, supply chain risk management has been mostly confined within supply chain circles. CEOs and government agencies were more than happy to let a few experts deal with supply chain challenges. Thanks to a rise in cyber attacks, supply chain risk management is receiving attention in all quarters. A survey of 1,300 senior IT decision-makers and security pros from the US, Canada, UK, Mexico, Australia, Germany, Japan, and Singapore found two-thirds of them reported their organizations had “suffered a supply chain attack in the past year.”[1] The survey, conducted by Vanson Bourne on behalf of CrowdStrike, also found “71% say they don’t consistently require the same security requirements of their third-party suppliers as they use internally.” How big is this concern? Laurel Deppen reports CrowdStrike believes supply chain cyber attacks are the world’s fastest growing cyberthreat.[2] As a result of these increased attacks, c-level executives and political decision-makers are now actively involved in supply chain risk management (SCRM). It’s finally reached the big time.
Responding to cyber attacks
Supply chain cyber attacks are costly both in terms of time and money. Deppen reports, “[CrowdStrike] found that, on average, supply chain attacks cost organizations $1.1 million. For U.S. companies, however, the average cost per attack is $1.27 million. The report found that supply chain attacks can take organizations up to 63 hours to detect and remediate. U.S. organizations averaged a 12-hour response time, ahead of their counterparts in other regions that averaged 15-hour response times. Similarly, the report stated that U.S. organizations could resolve supply chain attacks in 22 hours, ahead of the global average of 25.” Organizations need to double-down on their efforts to counter cyber challenges, because they are only going to increase. Journalists from MeriTalk report, “Supply chains increasingly are being targeted by attackers, according to Accenture’s Cyber Threatscape Report. ‘Threat actors have identified supply chains as being effective means of infiltrating or affecting victim organizations,’ the report notes. Accenture details how attackers have used software and hardware weaponization, logistics disruptions, and intrusions to breach the security of supply chains.”[3]
Perhaps the most troubling conclusion drawn by Accenture is that nation-states, not just criminal organizations, are behind the attacks. The report notes, “Software supply chain tampering by resourced nation-state or criminal groups will continue to be used as a delivery method for increasingly sophisticated malware families.” The fact that nation-states are involved has finally drawn the attention of lawmakers in Washington, DC. Ernesto Digiambattista reports, “Policymakers in Washington have recently begun to consider measures that take aim at supply-chain risk management. The disconcerting reality, however, is that they are already behind the curve, as the status quo for SCRM is not keeping pace with today’s dynamic threat landscape.”[4] Digiambattista acknowledges that interagency collaboration has begun but adequate funding and staffing remains lacking. “Acknowledging a clear issue that should have been addressed long ago is vital,” he writes, “but even more so is tangible action such as reasonable funding and adequate staffing. … With China, Iran, and Russia developing increasingly sophisticated technologies focused on hacking our critical infrastructure, policymakers must act with urgency to combat such threats. Opting to continue down a decentralized path would be reckless.”
Organizations can’t rely solely on the government
Although government help in preventing supply chain cyber attacks should be welcomed, organizations must rely mostly on their own efforts. Joseph Brookes notes, “Gartner analysts [insist] ‘IT security is a board-level topic and an essential part of any solid digital business strategy.’ … Gartner says, it’s taken a string of high profile security incidents to elevate security concerns. The Equifax data breach alone, which cost the CEO, CIO, and CSO their jobs and caused world-wide damages between $1.5 to $4 billion, should be enough to make senior executives acknowledge the challenge.”[5] Elevating supply chain cybersecurity risks to the C-level isn’t always easy. Jeff Spivey explains, “Adding to the uncertainty around vulnerabilities is that many leaders aren’t clear on how to benchmark effectively to understand their risks, enhance their security efforts and measure progress.”[6] He adds, “Boards of directors and executives often lack confidence in how their organizations’ cybersecurity posture actually protects their abilities to achieve their stated organizational goals and deliver business value.”
Where should boards and C-level executives begin looking for vulnerabilities? Spivey notes, “The vulnerabilities that businesses can experience are vast.” They include:
- Incomplete governance/management
- Shortage of cyber or physical security personnel
- Insufficiently trained staff and partner companies
- Cyber or digital risk management vulnerabilities, such as incomplete risk assessments; static policies, standards, or procedures; or incomplete Governance Risk and Compliance Program
- Operational processes incomplete, incorrect or lacking maturity
- Technology vulnerabilities, such as software or hardware vulnerabilities, internet disruption such as a geopolitical attack on the grid, autonomous cars susceptible to outside hacking, ransomware attack encrypting mission-critical data for a highly dependent organization such as a government, hospital or financial institution; artificial Intelligence with flaws or back doors; and incomplete audit review processes
Spivey adds, “Vulnerability awareness and management require forward-thinking strategic plans from governance and management to assure strong value from information technologies.”
Summary
Cyber threats continue to grow everywhere; but, supply chains are increasingly targets of such attacks. Raj Samani, Chief Scientist at McAffee, notes new revelations are constantly being discovered “concerning complex nation-state cyber-attack campaigns targeting users and enterprise systems worldwide. Bad actors demonstrated a remarkable level of technical agility and innovation in tools and tactics.”[7] Even with all stakeholders (i.e., governments, vendors, and organizations) involved in efforts to counter cyber threats, more effort is needed. Spivey concludes, “Dedicating staff resources and funds to this effort and using the right tools will ensure that organizations understand their cyber vulnerabilities, benchmark effectively, and put in place effective measures to enhance risk management capabilities and strengthen cybersecurity.”
Footnotes
[1] Staff, “Two-Thirds of Organizations Hit in Supply-Chain Attacks,” DarkReading, 23 July 2018.
[2] Laurel Deppen, “What is the fastest growing cyberthreat? 80% say supply chain attacks,” TechRepublic, 23 July 2018.
[3] Staff, “Accenture Report Highlights Growing Supply Chain Security Risk,” MeriTalk, 7 August 2018.
[4] Ernesto Digiambattista, “Washington to finally focus on threat to supply-chain risk management,” The Hill, 28 August 2018.
[5] Joseph Brookes, “Executive Awareness Leads Gartner’s Six Cybersecurity Trends,” Which-50, 10 July 2018.
[6] Jeff Spivey, “Understanding what cyber vulnerability, threats and risks really mean,” Information Management, 17 July 2018.
[7] Bob Violino, “It’s no surprise, but cybersecurity incidents continue to rise,” Information Management, 12 July 2018.