AS CYBERCRIMES CONTINUE TO ESCALATE, IS YOUR SUPPLY CHAIN OFFERING AN EASY ‘SIDE DOOR’ FOR ATTACKERS TO EXPLOIT?

It would be incredibly naïve to think there are still business people who haven’t at least heard of the threat of cybercrime. And, arguably, equally negligent to assume that most of them are doing something about it.

 

For SMEs there’s sometimes the thought process that cyber criminals only target big brand multi-national businesses with high value reputations to protect. For others, it’s simply a case of understanding where to begin, the cost of cybersecurity and how to know if the actions they’re taking will make them safer from attack. 

A new ‘Cyber Readiness Report 2019’ published this month by the global specialist insurer Hiscox – based on a survey of 5,400 firms across seven countries – provides plenty of food for thought for anyone still left in any doubt about the level of threat facing businesses today.

The report identifies: 

·         The number of firms reporting cyber incidents has risen from 45% to 61% in the last year

·         While larger companies are still the most likely to suffer a cyberattack, the proportion of small firms (less than 50 employees) reporting one or more incidents is up from 33% to 47%. For medium sized firms with between 50 and 249 employees, the proportion has leapt from 36% to 63%

·         For the first time, a significant majority of firms surveyed said they experienced one or more cyberattacks in the last 12 months

·         No industry immune - in every one of the 15 sectors tracked in this report, the proportion of firms reporting one or more attacks has risen sharply

·         Both the cost and frequency of attacks have increased markedly compared with a year ago, and where hackers formerly focused mainly on larger companies, small-and-medium -sized firms are now equally vulnerable

·         The mean figure for losses associated with all cyber incidents among firms reporting attacks has risen from $229,000 last year to $369,000 – an increase of 61%, with medium and large firms bearing a disproportionate amount of the cost

·         Nearly a quarter of firms (24%) suffering a cyber incident report a virus or worm infestation and 17% a ransomware attack. The number suffering a distributed denial-of-service (DDoS) attack is up from 10% to 15%. The frequency of attacks has also increased markedly. Among firms that experienced cyberattacks, the proportion reporting four or more incidents is up from 20% to 30%

·         Bigger firms are more likely to have suffered repeat incidents. More than a fifth (21%) experienced five or more attacks in the year

·         Data theft has become commonplace; the scale of ransom demands has risen steadily

Regulation is going some way to improving awareness and mandating a baseline of cybersecurity rigour, the Hiscox report states. In 2018, the introduction of the EU’s General Data Protection Regulation (GDPR), to which businesses have adapted, has also generated an uptick in demand for cyber insurance. Companies are also investing more in cyber protection; the average spend on cyber is now $1.45 million and the pace of spending is accelerating. The total spent by the 5,400 firms in the report totaled a remarkable $7.9 billion. And, two-thirds of respondents said they planned to increase their spending on cyber by 5% or more in the year ahead.

Respondents were asked a series of questions covering their approach in four areas – strategy, oversight and resourcing on the one hand and technology and process on the other. Based on their feedback, the study ranked respondents on a scale from ‘cyber novice’ and ‘cyber intermediate’ to ‘cyber expert’. Overall, the proportion of firms that made it into the expert category was slightly down year-on-year from 11% to 10%. Intermediates made up a further 16% and novices constituted the remaining 74%.

Is the supply chain a weak link?

Although the Hiscox report is now in its third year of publication, 2019 is the first time it asked a series of questions relating to the security of firms’ supplier networks.

It states: “Nearly two-thirds of respondents (65%) said they had experienced one or more cyberattacks as a result of a weak link in their supply chain over the past year. The figures were highest in Belgium and Spain (73% and 72% respectively). Overall, three-quarters of technology, mediaand telecoms (TMT) and transport firms were targeted. Just over half of all firms in the study now include cyber KPIs in their contracts with suppliers. The figure is 65% among enterprise firms but only 39% among small firms.”

Asked how often they evaluated the security of their supplier networks, nearly three quarters of firms (74%) said they did so at least once a quarter or on an ad-hoc basis – while 8% of firms said they had increased evaluation of their supply chain as a result of an incident in the past year.

Most significantly, nearly two-thirds of firms (65%) had experienced cyber-related issues in their supply chain in the past year.

TAPA’s response to cyber risks

The issue of cybersecurity is relation to supply chains and supply chain partners has been a key focus for TAPA in recent months as a broad group of the Association’s members have considered and drafted a potential Cyber Security Standard for consideration by TAPA’s World Wide Council. While this is still a work in progress, it remains on track to ‘go live’ in 2020 once all of the necessary Standards protocols have been completed. 

Andrew Parkerson of Cisco Systems is one of the members of this Subject Matter Expert group. He said: “Those of us with logistics physical security backgrounds can and must learn the basics of cybersecurity as part of our continuous education and learning, just as we stay current with the physical threats which are changing all the time. Our job is help protect our companies: this now includes being aware, at least on a high level, where the cybersecurity threats are coming from and the basics on how to help protect against them, and help spread this message to others in the supply chain.” 

Vigilant invited Andrew to tell us more about TAPA’s thinking on cyber and the work that has already taken place as part of the evaluation for a new Security Standard…

In the October 2018 issue of Vigilant, it was stated that no one in the industry has previously addressed cybersecurity from a supply chain security perspective. Why is that? 

Individual companies are (1) relying on their own internally-developed cybersecurity guidelines, or (2) don’t have the internal teams or expertise to develop cybersecurity standards, or (3) rely on the NIST cybersecurity framework, or (4) have not addressed cybersecurity because of lack of resources , or (5) don’t know where to start.

Do you think supply chain security professionals mostly focused on managing physical risk and preventing product losses see cybersecurity as part of their role?

No. But they should. One problem is finding training which is not too technical but is technical enough.  SANS.org has training courses (SEC401: Security Essentials Bootcamp Style) and is a good start. Pricey, but self -paced, online course. And, they need to engage with their IT department if they can. Also attend industry conferences such as Black Hat (Las Vegas, APAC, EMEA) or RSA Security conference (San Francisco, APAC, EMEA). Here again, maybe very technical, but the exposure to what the IT folks are talking about is invaluable.

Is the thinking behind the new standard that it would mostly benefit SME members which, perhaps, don’t have the same level of cyber security as big global brands?

Yes, I believe that was the goal. To give the medium-to-smaller companies a starting point. And, maybe to give to larger companies who have not thought about incorporating physical and cyber security into their auditing framework when dealing with suppliers.

What type of reception do you think a supply chain security director is going to get when they try to get their inhouse IT teams to adopt a future TAPA cybersecurity Standard?

I am willing to bet that most IT departments have not thought of cybersecurity in terms of their supply chain partners. The larger companies, maybe. But is there engagement between the IT departments? Probably not at the level that it needs to be. Thus, our Standard can be used as a base line, used to open the discussion between a company’s supply chain and IT departments.

Do you think SME businesses – from a supply chain security perspective – see cybercrime as a genuine threat or do they feel safer because they expect cyber criminals to be targeting big multi-national businesses?

I think that if they don’t see cybercrime as a genuine threat, they are fooling themselves. Businesses of all sizes can be targeted. Smaller businesses are used as side doors to get into bigger businesses, as we have already seen in many high-profile cases. 

At this stage, is there anything more TAPA members can be doing to support your development work?

In due course, feedback on the proposed Standard. What don’t we know; what knowledge, training would be helpful; what experiences have they seen? We had a large number of people who wanted to be involved in the development but were unable to participate on a regular basis. Having them take a look at the Standard with a fresh set of eyes and giving input will be helpful.

What would you say to a TAPA member who feels cybersecurity falls outside of the traditional cargo crime prevention role in companies?

Supply chain security risk is now part of our job. The interconnection between physical and cyber risk is real. Interconnectivity between companies’ IT systems is how business is done; if your partners’ systems get hacked, your own systems could be hacked. Think of how that would affect your company’s ability to operate. What about your company’s reputation? Do you want to be the next high-profile victim with all the damage that ensues?  Automation is growing; trucking, warehouse operations, customer requirements for faster, better information on shipments. This all brings cyber risks. 

Is there anything else you’d like to add?

Thanks to all the TAPA members throughout the world that took part in developing the proposed Standard. Open, frank discussion without egos. 

What constitutes good and bad practice?

GOOD

·         Executive buy-in – cyber security is a priority for the board or proprietor

·         Clear strategy set by multiple stakeholders within the business

·         Dedicated head of cyber or team

·         Adequate cyber budget – on average, experts spend over $1 million more on cyber than novices

·         Regular evaluation of supply chain, security KPIs in supply contracts

·         Process – ability to track, document, measure impact

·         Cyber awareness training throughout the workforce

·         Proactive testing – through simulated attacks

·         Regular phishing experiments

·         Readiness to learn, respond, and make changes after an incident

·         Cyber insurance policy in place 

BAD

·         Cyber security dealt with on ad-hoc basis – no clear line of responsibility

·         No formal cyber strategy, no dedicated cyber budget

·         Over-reliance on technology, light on people

·         Slow response to incidents

·         Occasional, often patchy, employee awareness training

·         No evaluation of supply chain vulnerabilities

·         No simulation of cyberattacks or employee responses

·         Reliance on general property insurance

 

Source: Hiscox Cyber Readiness Report 2019

To access the full Hiscox report, click here

https://www.hiscox.co.uk/sites/uk/files/documents/2019-04/Hiscox_Cyber_Readiness_Report_2019.PDF

OTHER USEFUL SOURCES:

Symantec Internet Security Threat Report – click here

https://www.symantec.com/security-center/threat-report

Cisco Cyber Security Series Threat Report 2019 – click here

https://www.cisco.com/c/en_hk/products/security/security-reports.htmlons