How Cyber-Threat Affects Supply Chain and Measures to Mitigate It
Understanding Cyber Supply Chain Risk
It is very surprising that very few companies are careful while doing business with other companies. Business Continuity Institute (BCI) conducted a survey for supply chain industry and the electrifying results projected that 72 percent of companies have limited transparency into their IT enabled supply chain management.
As an emerging trend, to mitigate infrastructure cost, organizations often outsource information and communication technology (ICT) services and support. Cyberattackers are always in search of glitches within network or system that challenges an organization’s supply chain information security to intrude into user systems. Such glitches are mainly faced due to traditional procedures adopted by modern organizations to manage risks associated with supply chain.
Involvement of senior executives plays a major role while working on security as they view it in terms of operational risk to tackle with it. Organizations need to make provisions for active involvement of C-level executives to place information security. According to survey conducted by Bret Arsenault, Corporate Vice President and Chief Information and Security Officer (CISO), Microsoft, 82 percent of financial executives and 76 percent of C-level members’ value information security. The survey also revealed the ‘involvement gap’ factor that restricts security from being a shared responsibility.
Potential Sources of Threat CIOs Need to Know
In mid-2012, the VOHO campaign was initiated in U.S. to mitigate watering hole attacks. It was a frightening scene to witness how organizations and various sectors were under attack. In water hole attack, the attacker keeps track of the most visited websites and compromises it by infecting with malware. This is when the role of cyber security becomes critical because any weakness in websites becomes an entry point for attacker by creating ‘Watering Hole’ in target’s system. The organization may lose valuable and mission critical data as user may download and install a file without knowing that it is full of malware. As a result, malware will act as a ‘Remote Access Trojan’ where attacker can hold grip on target’s system.
Third Party and Botnet
Every organization is in race to provide better services to its clients by hiring third party firms. It becomes easy for organizations to share workload and third party firms help organizations by aggregating, storing, and processing the information. However, with rise in cyber-threat, organizations need to be careful while working with third party due as they experience ‘zombie systems’. A ‘zombie system’ redirects organization’s information attacker’s system and user of the system being unaware of it. The information shared by systems includes organization-critical information business structure and strategies, financial analysis, and high profile mergers and acquisitions. The botnet transfers information from target’s system to botnet controller using an encrypted channel on the public internet. In this scenario, organizations tend to lose licensed business information, business-to-business marketing techniques, and supply chain management systems. In other words, attacker gains access to business-oriented information stored by third parties to commit large frauds.
Dragonfly, a cyber espionage group, intrudes into Industrial Control System (ICS) software of an enterprise to gain control over user’s systems and corrupt legitimate files. Supply chain operators unknowingly download the software from suppliers’ website and on installation of software, malware gains control over system with remote access functionalities. Such attacks are devastating as supply chain involves number of suppliers and to check for their legitimacy becomes a huge challenge for organization. The group was found to be aggressively active in Europe and North America regions and its recent traces can be found in 2014 but it is still haunting CIOs.
Mitigation Practices CIOs Can Adopt
CIOs and other board members are hardly able to anticipate supply chain risks from various sources due to ever-changing faces of cyber threat and it becomes difficult for them to come up with concrete supply chain risk solutions. As a result, cyber security is no more merely IT department’s concern but it has also become boardroom’s subject of discussion. Mitigation process includes basic properties that can help to lower wrath of cyber-threats to a larger extent. The basic properties encompass educating user, upgrading technology, and revamping industry processes to curb out any glitches challenging cyber supply chain management. Adopting simple and transparent processes can be fruitful for complex supply chain as simplicity is ‘complexity resolved’. To achieve simplicity, supply chain stakeholders can be made to participate in risk assessment process and scrutinize as many members of the supply chain as possible.
Small and medium size supply chain organizations suffer the greatest loss as they have very limited resources and they are easy targets for cyber attackers. It can be alarming call for SMEs to get Cyber Essentials accreditation that will help them to defend against supply chain risks and improve their reputation. Large organizations have plenty of alternatives to prevent supply chain risks by merging threat assessments with processes and procedures to assure safety for their member organizations. Threat intelligence and estate monitoring regulated by technological platforms help improving organization’s own supply chain risk management.
International Standards for Cyber Security
Apart from organizational activities, companies need to maintain certain standards according to changing trends in IT. Fortunately, the International Standards Organization (ISO) issues certain standards for Information and Communication Technology (ICT) matters to make sure organizations meet basic level of standards. Such accreditations are a helping hand for the organizations looking for trustworthy and reliable partners for supply chain. ISO produces ISO 27000 series of standardization where ISO 27001 is issued for process and auditing standards of the organization. In ISO 27001, companies are required to go through risk assessment through policies such as managing information, communications, human resources, physical sites, business continuity, and compliance adopted by company. Along with the ISO 27000 series, supply chain organizations can be ISO 37000 series certified that covers risk management for supply chain.
By Tom Farrah, CIO & SVP, Dr Pepper Snapple Group
By George Evans, CIO, Singing River Health System
By John Kamin, EVP and CIO, Old National Bancorp
By Phil Jordan, CIO, Telefonica
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
By Dennis Hodges, CIO, Inteva Products
By Bill Krivoshik, SVP & CIO, Time Warner Inc.
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Alberto Ruocco, CIO, American Electric Power
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
By Sven Gerjets, SVP-IT, DIRECTV
By Marie Blake, EVP & CCO, BankUnited
By Lowell Gilvin, Chief Process Officer, Jabil
By Walter Carvalho, VP & Corporate CIO, Carnival Corporation
By Mary Alice Annecharico, SVP & CIO, Henry Ford Health System
By Bernd Schlotter, President of Services, Unify
By Bob Fecteau, CIO, SAIC
By Jason Alan Snyder, CTO, Momentum Worldwide
By Jim Whitehurst, CEO, Red Hat
By Marc Jones, Distinguished Engineer, IBM Cloud Infrastructure