2 Start with people. Criminals usually find it easier to call a company employee and try to persuade them to divulge information, or to send a “phishing” email that attempts to get information, rather than hack into a system, which requires some level of technical expertise, says Mark Simon, vice president of strategy with Celigo. Moreover, phishing attempts are becoming more sophisticated and difficult to identify, even as employees are busier and often juggling multiple roles, making them more susceptible to these attempts. Given that the biggest security risks tend to be not hardware and software, but employees, proper training and policies are key. For instance, employees should be instructed not to follow emails that purport to come from a company executive and request an immediate action that falls outside established processes. When an email looks like it’s from senior leadership, “there’s an implied sense of urgency,” says Simon. Employees may feel justified in circumventing security processes— exactly what the criminal is counting on. Corporate policies should incorporate checks and balances that can help thwart social engineering attempts. For instance, an organization might prohibit the use of email, rather than the payment system, to initiate funds transfers to vendors. 3 Implement the appropriate governance. Strong governance ensures that each player in the supply chain has in place a clear and effective cybersecurity plan that is regularly maintained and remains up-to-date with ongoing requirements of the cyber industry, Lanowitz says. An organization must work side-by- side with its vendors and suppliers to reduce weak points in its network and prevent vulnerability to attacks. With strong governance, organizations in the supply chain should have a strong digital security infrastructure.
4 Work closely with suppliers. Cyber-criminals typically take the path of least resistance when they try to penetrate a high-stakes corporate database, Amling says. Rather than attack the fortified networks of most large companies, some identify Tier 2 or Tier 3 suppliers that lack the capital or knowledge to protect themselves. Businesses need to assess the security not only of their own networks, but those of their suppliers. That requires carefully evaluating potential vendors. Look closely at the contract terms: What risk is contractually defined, transferred, and/or shared? What are the potential damages if something goes wrong? Ideally, vendors will have their own cyber-insurance policies, as this indicates they understand their cyber risks and have controls in place. An external party should evaluate companies that provide digital supply chain services, such as cloud computing, software-as-a-service, or chatbots and virtual assistants using artificial intelligence, Brown advises. This could mean obtaining a SOC 2 report that examines the organization’s logical and physical security controls. Brown also recommends reviewing existing contracts. Over the past year or two, many organizations had to quickly move to cloud-based services, leaving little time to check their providers’ governance and compliance protocols. Now, they may find some contracts don’t include reasonable cybersecurity protocols, such as the ability to audit the services provided. Organizations should seek to change the terms, if possible. 5 Implement security technology. While the human element is key in cybersecurity, technology also plays an essential role. Although the tools vary from one organization to another, a few are commonly used across industries, Waters says. One is multi-factor authentication, which requires users accessing accounts or apps to provide an additional identity verification, such as scanning a fingerprint or entering a code received by their phones.
In 2020, more than 40% of organizations reported COVID-related disruptions in Tier 2 (and beyond) suppliers, finds a Business Continuity Institute (BCI) report. Without the visibility that strong digital supply chains can provide, these firms lack the information they need to craft alternate plans. Even as digital supply chains have become more critical, they’ve also become increasingly vulnerable to attack. One-third of organizations reported supply chain disruptions caused by cyberattacks and/or data breaches in 2020, up from 26.1% in 2019, BCI finds. One reason may be that more organizations are incorporating the Internet of Things (IoT) into their plants, warehouses, and equipment. The global number of connected IoT devices will jump to more than 27 billion by 2025, up from 12.3 billion in 2021, estimates IoT Analytics. While IoT connections provide visibility and efficiency, they can leave organizations more vulnerable to cyberattacks, says Sebastian Reiter, partner with McKinsey & Company and digital supply chain expert. Safeguarding digital supply chains has become essential. “Technology is a double-edged sword,” says Randal Waters, senior vice president in the emerging risks group of Marsh Advisory. It enables efficiency gains, but the impact of an outage can be significant business interruption, he adds. Here are nine steps that can help secure digital supply chains. 1 Take a security-first approach to prevent future cyberattacks. The supply chain system connects many vendors, suppliers, and organizations and it’s inevitable that one organization has a weak security infrastructure. “Securing all endpoints within the supply chain system is critical to staying in front of supply chain threats,” says Theresa Lanowitz, head of cybersecurity evangelism with AT&T Business.
40 Inbound Logistics • February 2022
Powered by FlippingBook