According to the Symantec 2019 Internet Security Threat Report, supply chain attacks spiked 78 percent in 2018. Not only is the volume and severity of these attacks growing, so is their sophistication.
Organizations that depend on a supply chain need to deal with the facts that 1) all of their supply chain data is traversing the global internet and 2) that data resides in internal repositories across the enterprise as well as externally with third-party providers. This adds to the difficulty of monitoring and assessing real-time cyber risk among supply chain partners.
Historically, supply chain risks were limited mostly to disasters and accidents – hurricanes, floods, or fires destroying warehouses – or human error, like inputting the wrong information into the system. Today’s supply chain risks have shifted to internet-based cyber-attacks. Some simply disturb the usual course of business activity, such as distributed denial of service (DDoS) attacks that block access to web-based logistics applications and ordering sites. Other attacks are more destructive and either copy, rearrange or destroy vital data, or are meant to steal critical intellectual property, hold companies hostage, or steal personal information that can be used or sold later.
Large organizations that depend on third-party partners and vendors with internet connections to the rest of the supply chain can pose the most significant risks. If a cybercriminal gets into one party of a supply chain, it can possibly open up attack surfaces for all companies in the chain. Target lost its CEO along with $164 million when a small HVAC contractor that was part of its supply chain was breached, allowing hackers into Target’s enterprise network through what was supposed to be a private vendor portal.
At the same time, enterprises are generating more data than ever before. All of this data, housed in many locations and repositories, presents more opportunity to cybercriminals through increasing the quantity of attack surfaces.
Currently, the most common tactics for protecting against attacks in the supply chain sector are the basic IT security housekeeping measures that any organization should follow, like:
- Knowing which suppliers have which data and where the data is physically stored.
- Managing who has what level of access, e.g., system administrators vs. normal users.
- Encrypting your data at rest and in transit.
- Ensuring that your suppliers install all relevant software patches.
- Monitoring supplier policies on username/password, the use of handheld devices, laptop security, and other issues relating to user access.
- Assuring that suppliers keep all firewalls and anti-virus software up to date.
- Requiring suppliers to use multi-factor authentication to access third-party portals.
But the larger a supply chain gets, the more attack surfaces it offers. While adhering to cybersecurity best practices is essential, internet security is still a risk to supply chains with such significant attack surfaces. Additional measures beyond typical best practices are required to ensure that data is securely transmitted and stored in a supply chain that’s protected from end to end.
Because of the diverse global landscape of the supply chain, with its many multi-tiered suppliers, the source and destination of the fulfillment process must also be protected. Hiding or masking the source and destination inside a private internet-based environment ensures protection from cyber adversaries, essentially making the supply chain network invisible to unauthorized users. Multiple layers of encryption secure the data itself, both in transit and at rest.
Protecting data and network resources at the endpoints and in transit is the key to a successful, secure supply chain. A highly obfuscated, cloud-based network that privatizes the public internet, with data protected by multi-layered encryption, will ensure the integrity and confidentiality of the information that fuels today’s digitally connected global economy.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.