Download this article in PDF format.
The latest big-name victim of what some have termed the “cyber-pandemic” made global headlines last week. This time, global consulting firm Accenture was the one caught in the crosshairs of what’s shaping up to be an extremely active year for cybercriminals. According to Verizon, cyberattacks have increased by 400% since before the COVID-19 pandemic.
According to CNN, the LockBit ransomware gang was threatening to publish Accenture’s encrypted files on the dark web unless the company paid the ransom. Ransomware has become a critical threat to national and economic security, CNN points out, amid a string of attacks against corporate and infrastructure targets. This year alone, DarkSide forced Colonial Pipeline to shut down its fuel distribution operation, and REvil attacked both JBS Foods and IT software vendor Kaseya.
These and other high-profile attacks on organizations and infrastructure have heightened companies’ awareness of digital supply chain vulnerabilities and the steps that need to be taken to stop these “bad actors” from wreaking havoc on these worldwide networks.
“Sophisticated threat actors have already targeted widely used — and poorly secured — supply chain components,” three authors from the Centre for Risk Studies point out in HBR. Many businesses are ill-prepared to survive the fallout of such attacks. For example, a recent Verizon study found that 60% of small- and medium-sized (SMB) enterprises go out of business within six months of a cyberattack.
Conquering the Fear Factor
When interviewing a group of corporate executives and cybersecurity experts about the vulnerabilities that exist in today’s digital supply chains, the Centre for Risk Studies learned that the fear factor is high when it comes to supply chain security.
“But the good news is that firms don’t have to feel helpless; they can rely on others outside the firm to unearth vulnerabilities,” the authors write. “Over the last several years, the growing ecosystem of security researchers and information-sharing agencies has identified thousands of critical vulnerabilities before they were exploited by malicious actors. Businesses simply need to stay informed and react with a sense of urgency to the threats that may impact them.”
Instead of searching for bugs in their systems, for example, they say companies should focus on quickly prioritizing and patching vulnerabilities—something few companies are doing right now. Citing a recent HP-Bromium report, the authors say many companies aren’t addressing or remediating years-old vulnerabilities. “Businesses that fail to fix vulnerabilities for which a patch exists are at acute risk.”
Companies that want to do a better job in this area—and shore up their overall digital supply chains against possible threats—can start by using automated tools that fix simple vulnerabilities, the Centre for Risk Studies advises. Also understand that not all vulnerabilities are created equal. “Just as a busy hospital triages patients, IT teams can triage vulnerabilities,” the authors write. “Exploitable and impactful vulnerabilities must be fixed quickly. Businesses can wait until scheduled updates to remediate less-urgent vulnerabilities.”
They also recommend that businesses demand that their vendors implement “hot patching” systems, which effectively deploy patches without the need to reboot the software program in question. “While implementing this functionality may increase costs,” the authors point out, “it will also ensure that businesses don’t have to choose between cybersecurity and availability.”
Tackling the Unknown
The recent spate of ransomware cybersecurity attacks has proven that everyone suffers when a supply chain is compromised: buyers, suppliers and users alike. “The pace and magnitude of these and other attacks are increasing,” KPMG’s Jonathan Dambrot writes in “How To: Strengthen Supply Chain Security.” “It is clear that supply chain security needs strong oversight and control to ensure security.”
Citing a recent study that found just 10% of supply chain professionals feel “highly prepared” for future disruption, Dambrot suggests companies focus on what can be done ahead of time to assess risk and minimize potential disruption and prepare for the inevitable disruption — unknown or unforeseen.
A good starting point is to assess existing policies and procedures related to supply chain risk and compliance. “Organizations need to evaluate what they can control and what they cannot, including third-party risk, data privacy and regulatory gaps,” Dambrot advises.
Companies can also identify potential security concerns by conducting vulnerability scans of technology policies and training procedures. “Developing security threat recognition capabilities and preparing incident response plans should an attack occur,” he adds, “are [all] critical to supply chain security.”