Cyber Security in Supply Chain. Is it that important?

This article was firsts published on my Linkedin Profile – here.

One thing is clear. Protecting your data is of most importance this day and age. Especially if you are multi million company with global or regional operations. You must take care that your computers, networks, programs are protected and your employees are trained. Cyber attacks can bleed companies of huge amounts of money.

The interconnection of the logistics sectors and their reliance on data/software to track the movement of goods makes industry a standout amongst the most exposed to the danger of cyber attacks.

Data is being shared and stored therefore makes companies in the logistics market ideal candidates for hacking. The motivations can be for acquiring information on customers, such as banking details, or for smugglers wishing to gain control of a specific part of a supply chain.

Cybersecurity is among the top concerns facing organizations today — no genuine shock, given the number of highly publicized data breaches, distributed denial of service (DDOS) attacks, and the growing expense and multifaceted nature of solving these issues. With the proprietary design, pricing and contract intelligence that flow through complex supply chains, supply management organizations must account for and address the cybersecurity risks in their operational planning and execution. This seemingly straightforward  task requires supply management leaders to understand and balance operational performance opportunities and cybersecurity risk trade-offs within current business plans.

Cyberbased data gathering has become the method of choice for several reasons for a expansive range of these organized threats:

  • It’s cheap and easy. Sophisticated attack tools are easily accessible at hacker sites and require little expertise to use.
  • It’s fast. The very nature of the technology allows the attacker to quickly transfer vast amounts of information, and once your information is out, you can’t get it back.
  • It’s nearly undetectable and un-attributable. The ability of attackers to remove digital fingerprints, the increasing similarity between the tools, tactics and techniques used by various attackers, and the ability to mask geographic location in cyberspace make it difficult to definitively assign blame.

Deloitte on  Cyber Risk

A new Deloitte study, “Cyber Risk in Consumer Business.”  mentioned that consumer products companies, retailers and restaurant businesses may be operating with a false sense of security.

The study captures information from more than 400 chief information officers, chief information security officers, chief technology officers and other senior executives about cyber risks and response plans affecting customer trust, payments, executive level engagement, human capital and intellectual property.

According to the study, more than three-quarters (76%) of consumer business executives report they are highly confident in their ability to respond to a cyber incident, yet many simultaneously face issues that critically impair their ability to do so.

Among the findings:

● The majority of executives surveyed (82%) indicate their organization has not documented and tested cyber response plans involving business stakeholders within the past year.

● Less than half (46%) say their organization performs war games and threat simulations on a quarterly or semi-annual basis.

● One quarter (25%) report lack of cyber funding.

● Roughly 1 in 5 (21%) lack clarity on cyber mandates, roles and responsibilities.

Real life examples

When Danish shipping giant A.P. Moller-Maersk’s computer system was attacked on June 27 by hackers, it led to disruption in transport across the planet, including delays at the Port of New York and New Jersey, the Port of Los Angeles, Europe’s largest port in Rotterdam, and India’s largest container port near Mumbai, according to reports. That’s because Maersk is the world’s largest shipping company with 600 container vessels handling 15 percent of the world’s seaborne manufactured trade. It also owns port operator APM Terminals with 76 port and terminal facilities in 59 countries around the globe.

For the transportation and logistics (T&L) industry, the June 27 cyberattack is a clarion call to elevate cybersecurity to a top priority. Besides Maersk, press reports said other transportation and logistics industry giants were affected including German postal and logistics company Deutsche Post and German railway operator Deutsche Bahn, which was also a victim of the WannaCry ransomware hack in May.

Looking for the weakest link

While up until now hackers have seemed more preoccupied penetrating computer systems at banks, retailers, and government agencies – places where a hacker can find access to lots of money and data and create substantial disruption – the most recent ransomware attacks demonstrate that the transportation and logistics industry is now on hackers’ radar.

The transportation and logistics industry has characteristics that make it a particularly tempting target. First, the industry is a global one with tentacles into so many different industries around the world. Complex logistical chains are created around manufacturers, and often logistics companies are embedded within production facilities controlling inventory and handling on-demand needs of a plant.

Like with all forms of warfare, attackers will seek out the weakest link in any chain – the most vulnerable element – as a target. Why steal money from the bank with all its infrastructure and protections when you can steal it on the way to the bank? While efforts to protect it along the way are made, almost any criminal could tell you, it is almost always more insecure in transit.

Bringing security to fragmentation

The industry’s fragmentation and its requirement to operate within the various IT systems of its customers makes figuring out cybersecurity solutions more challenging and has led to lower investment. The industry also operates on low margins, making extensive capital expenditure on cybersecurity unattractive. That may be offset by the potential liability costs from hacks.

There are several low-cost, manageable steps that can demystify the cybersecurity risk discussion. These steps also will help you validate your organization’s perceived risk position and reduce its supply chain’s exposure.

They include:

1) Establishing a common understanding of the interdependence and impact of operational business decisions on cybersecurity

2) Conducting a focused assessment to validate your organization’s perceived risk position and form a basis to prioritize investment and implementation strategies

3) Integrating enterprise leadership and the supply chain into a coordinated solution to deter and handle cybersecurity issues.

Understanding Cybersecurity

Links Bridging the technical and business sides of this complicated problem is critical if senior leadership is to effectively provide cybersecurity oversight and guidance in the areas of IT acquisition, adoption of business applications and processes, cybersecurity budgets and IT outsourcing.

Without a common baseline understanding of the size, cost and complexity of the cyberthreat, and the remediation and transfer options available to the organization, it is difficult to truly appreciate and scope your organization’s risk profile. To make matters worse, without a common orientation, the response and remediation may not be satisfactory when a cybersecurity event occurs.

For example, when the CEO wants to know exactly how long an adversary has been on the system or exactly what was taken, it would be more productive if he or she understood basic cyberforensic capabilities and limitations.

Conclusions

Increasingly, shippers and regulators will require transportation and logistics companies to guarantee the integrity of product and transport data, as well as ensure compliance with stricter cybersecurity laws. This will include carriers and forwarders, who are assuming central roles in supply chains as hubs for data exchange, making them high-value targets.

Every organisation must be as active as possible in building strong systems for protection against cyber attacks. Forward-looking companies will begin to see a safer logistical offering as a competitive advantage, especially if attacks continue. In the end, no industry will be entirely safe from the threat of cyberattacks. But every industry must do its part to at least make the job of hackers hard.

Some of my other articles (would appreciate your feedback):

Leave a Reply

Your email address will not be published. Required fields are marked *