Globally, cybercrime has been on the map for a long time. Governments are aware of this fact, as are authorities and pretty much anyone doing business. But, to what extent are we aware of cybercrime, and are we doing enough to nip it in the bud? The crystal clear answer to this is, not yet.
The term cybercrime conjures up film-like images of mysterious hackers in dark rooms furiously typing away at worn-away keyboards while glaring at neon-green Unix terminals on dust-laden monitors. Does that sound like a movie or pop culture reference? Something out of Swordfish or The Matrix, or sci-fi novels for instance? Funnily enough (or rather un-funnily enough) cybercrime is very real and is causing unprecedented global problems (albeit not exactly as portrayed in the movies). There is even evidence that the DTCC (Depository Trust and Clearing Corporation) identified these cyber risks in a 2013 paper entitle ‘Systemic Risk White Paper’ as “arguably the top systemic threat facing not only the global financial markets and associated infrastructures, but also world governments and military establishments”. Cybercrime threats are everywhere today but have not exactly received the required attention on time as this global risk was building its strength in the shadows for years now. Cybercrime has even made its infectious way across the cyber-physical realm, transforming into something that can seriously hurt us in the real world. One of these facets is what is called the ‘supply chain’. We are going to look at the cybersecurity issues surrounding supply chain cybercrime, and other factors to shine a light on just how prepared we have to be as a society in the fight against cybercriminals and cybersecurity vulnerabilities.
Cybercrime: A Brief Introduction
To grasp how salient supply chain cybersecurity is in the global risk/threat agenda, casting a looking glass on some precedent may clarify some aspects of this topic for a lot of folks. What we call cybercrime today goes back quite a ways to simple data theft in the early heyday of information technology in the 1980s. This period is, keep in mind, before the internet was released to the public at large. At that time, email was cutting-edge technology, which allowed for a plethora of malware and scams to be delivered to the first netizens (internet citizens). We would see the following most significant cybercrime waves take place in the following decade, the 90s when the dot-coms and web browsers arrived. This is the era of viruses and since computers nor browsers were protected then, simply visiting a website would land you some malware (and pop-ups galore) and you would be none the wiser. Yet another decade later in the 2000s, this period was to be the launching pad for modern cybercrime. As social media came into being and the number of internet users rose exponentially the amount of sensitive online data was on a vertical tangent. The 2000s also saw the rise of ID theft, bank account breaches as well as credit card and other types of financial fraud. Now, looking back at between 2010 and 2021 right now is the period of the digital transformation, IoT (Internet of Things) devices, hyper-speed 4G and 5G internet, and cloud storage. The latest wave of cybercrime is very different from anything we have seen, proven by the fact that the worst cyberattacks in history happened just last year and almost toppled the United State’s thickest defense castle walls. Cybercrime at the moment, shockingly, causes around one trillion dollars of damage annually. The most common types of cybercrime are; phishing, ransomware, and other malware -typically chosen because they offer the best bang-for-the-buck and ROI or Return on Investment.
Supply Chain Cybersecurity
When we think about cybersecurity a.k.a the digital defense systems, tools, hardware, and knowledge that fight cybercrime, we don’t often think about the supply chain. What is this supply chain and why is it overlooked? A supply chain belongs to a service provider or traditional manufacturer’s supply process (which can also mean the data supply chain). Supply chains are extremely vulnerable to disruption from third parties. Every organization, institution, and business in some shape or form utilizes a supply chain. These days, the issue is that the crucial global supply chain is vulnerable to cybercrime and several organizations are not taking the responsible cybersecurity measures to protect their supply chains. Let’s think about two examples; cybercriminal disruption to Covid-19 vaccine supply chains and a 2018 instance of auto manufacturer and parts leaks. In both of these cases, third parties(vendors) were the weakest link. This means that the integrity of a supply chain, as well as its data/goods, is in danger of being disrupted by malicious actors (hackers and the like). A supply chain can be deconstructed into an ecosystem that involves; suppliers, vendors, and miscellaneous third parties that have access to an organization’s IT infrastructure. When functioning properly, these facets allow for greater opportunity, efficiency, and successful processes for that organization. Yet, the problem is that the more complex an ecosystem becomes, the attack surface widens and increases in risk due to the potentially vulnerable endpoints. The digital defense, or cybersecurity, of a supply chain is only as strong as its weakest link.
Best Practices in Supply Chain Cybersecurity
Now that we’ve covered the birds-and-the-bees (the basics) of supply chain cybersecurity, we need to understand how best to mitigate these problems by taking industry best practices, as well as expert cybersecurity advice, into account. Since supply chain attacks are becoming more frequent due to more data being shared with more suppliers and service providers, let’s think about the following;
• An organization must know exactly who has access to what. Auditing third-party relationships is a good first cybersecurity best practice
• Instituting a clear cybersecurity policy is the responsibility of the organization, not the third party that only facilitates these processes. Asking the right questions and implementing measures promptly will save organizations valuable downtime -which can be extremely costly
• The continuous monitoring of data is crucial to establish an insight into potential threats to network and data security
• An organization’s systems must be updated and patched at all times with the latest releases
• Tight security controls mean analyzing vulnerabilities in the products within the supply chain (avoiding MITM or Man-in-the-Middle attacks for example) which can often have insufficient or simply bad cybersecurity measures (even malware in some cases)
• Password security is a must and the use of default manufacturer passwords must be thrown out of the window at once
• Educating the workforce in cybersecurity measures (passwords, monitoring, cybersecurity software, threats, human error, phishing, and other malware). This means attack scenario and potential phishing scenario training. This way everyone from the employee to the customer is better protected and data is as well
• Remaining compliant at all times with regulations and standards such as HIPAA, GDPR, CCPA, and other cybersecurity or information/data security frameworks.
Without proper cybersecurity measures and adherence to regulations in place, an organization is at great risk of malware and, in the worst-case scenario, APT (Advanced Persistent Threats). The supply chain offers several benefits, however, as discussed above it also opens up several potential entry points for cybercrime to seep through. Today’s economy is on the way to be fully digitally transformed, and as great as reliance on e.g cloud storage and encryption may be, we all have to stay vigilant and implement best practices to accommodate our work to today’s dynamic, shifting, and hyper-interconnected economies.