Supply Chain Security Insights

Supply chain attacks are one of the most common cyber threats faced by organizations. They are costly and disruptive, often resulting in lost revenue and customer trust.

In this article, we’ll discuss five insights about supply chain attacks that all supply chain management and information security teams should be aware of.

#1. Supply Chains Can Be Vulnerable

Supply chains are complex networks of companies, suppliers, customers, and partners that provide goods and services to each other.

They include manufacturers, distributors, retailers, service providers, logistics providers, and others.

These entities may interact directly or indirectly via intermediaries such as banks, insurance companies, payment processors, freight forwarders, customs brokers, etc.

Supply chains are vulnerable to attack because they involve multiple parties and interactions between them. Each organization in the chain will have its own risk profile, security posture, and business model. This creates a complex environment for security risks. Attackers can target any part of the supply chain, and often focus on the weakest link, including manufacturing facilities, distribution centers, warehouses, transportation hubs, retail stores, etc.

Attackers can disrupt operations, steal intellectual property, damage reputation, and cause losses in revenue and profits.

#2. Supply Chain Security Must Include All Stakeholders

Supply chain security involves protecting against threats across the entire value stream. This means securing data, processes, systems, physical assets, personnel, and technology.

It also requires integrating security practices and technologies across the entire organization.

This includes ensuring that information sharing occurs among stakeholders, that employees understand their roles and responsibilities, and that policies and procedures are followed.

Security professionals should collaborate closely with executives, managers, and staff members to ensure that everyone understands the importance of security and has ownership over its implementation.

#3. Supply Chain Security Requires Ongoing Monitoring and Maintenance

Supply chain security requires ongoing monitoring and maintenance.

An effective approach is to continuously monitor the status of key indicators, assess risks, identify vulnerabilities, and implement countermeasures.

For example, an attacker could attempt to compromise sensitive data stored in databases, websites, mobile apps, and other locations.

To prevent these incidents, security teams should regularly review logs, audit reports, and other intelligence sources to detect suspicious activity.

They should also perform penetration tests, vulnerability scans, and other assessments to uncover potential weaknesses.

#4. Supply Chain Security Requires Collaboration Across Organizations

A single department cannot manage supply chain security within an organization.

Instead, it requires collaboration across departments and functional areas, including IT, finance, procurement, human resources, legal, marketing, sales, and others.

Each stakeholder must be responsible for maintaining security, understanding what constitutes acceptable behavior, and implementing appropriate controls.

Collaborating across organizational boundaries helps avoid silos of knowledge and expertise that can lead to gaps in security awareness and training.

#5. Supply Chain Security Is Critical to Organizational Success

Organizations that fail to protect their supply chains face significant financial penalties.

A recent study found that supply chain breaches cost United States businesses $6 trillion annually.

That’s equivalent to nearly 10% of the annual global GDP.

Supply chain attacks can result in lost revenues, damaged reputations, and increased costs.

Companies that invest in supply chain security can significantly improve operational efficiency, productivity, profitability, and brand image.

How Do I Know If My Company Needs a Risk Management Policy?

Risk management policies protect companies against financial losses due to various risks. These risks include legal issues, employee misconduct, environmental hazards, etc.

A company may implement a risk management policy to minimize these risks. However, several questions should be asked before implementing such a policy.

What Are the Risks That Could Lead to Financial Losses?

Many types of risks can lead to financial losses. Some examples include:

• Legal issues

• Employee misconduct

• Environmental hazards

• Product liability

• Cybersecurity threats

• Data breaches

• Other

It is important to understand what type of risk your company faces. For example, if your company sells products online, you will face cyber security risks.

Are There Any Existing Policies?

Before deciding whether or not to adopt a risk management policy, it is important to determine whether any existing policies cover the risks your company faces.

For example, if your company has an insurance policy, then you may not need to implement a separate risk management policy.

However, if your company does not have an insurance policy, then it is necessary to consider implementing a risk management policy.

Is Implementing a New Policy Worth It?

Once you know what type of risks your company faces, it is time to decide whether or not to implement a risk management plan.

Some companies feel that they do not need a risk management plan because their current policies already address their risks. However, this decision should be made carefully.

If your company does not have a formal risk management policy, then it is possible that some of the risks your company faces could go unaddressed. This means that the risks could become more significant problems down the line.

In addition, if your company decides to implement a risk management program, it is crucial to ensure that the program covers all the risks your company faces, including those currently unaddressed.

Do Your Employees Understand What Is Being Done?

When implementing a risk management plan, it is vital to ensure employees understand what is being done.

This includes explaining why the risk management plan was implemented, how the plan works, and what steps must be taken to comply.

The goal here is to ensure that employees understand your company’s risks and how the risk management plan helps mitigate them.

Will the Plan Be Cost-Effective?

Finally, it is essential to evaluate whether or not the risk management plan will be cost-effective.

Cost-effectiveness refers to the amount of money saved compared to the costs incurred.

For example, suppose your company spends $1 million per year to insure its assets. In addition, suppose that the risk management plan saves $500,000 per year. Then, the risk management plan would be considered cost-effective if it saves $500,000 annually.

In this case, the risk management plan is cost-effective because it saves $500,00 annually.

However, if the risk management plan only saves $100,000 per year, then the plan is not cost-effective.

In Conclusion

As discussed above, there are many reasons to implement a risk management strategy.

These strategies can help your company avoid potential financial losses caused by certain risks.

In addition, implementing a risk management plan can make your company more efficient and productive.

 

A Cynefin Risk Management Use Case

Lately, I have been working on using the Cynefin framework to help a client with supply chain risk management. I’m not going to dig into the specifics here, but I wanted to share a quick workflow that we used during this process that has been very useful for us.

Risk Matrix

First, we built a risk matrix for supply chain risk. Basically, there are a number of these available via the various search engines. We took some of the most common ones and tore them down to commonalities, then built them into our matrix. We turned this into a simple spreadsheet.

Heat Mapping

Next, once we had our risk matrix, we did an exercise where we heat mapped the various risks, scoring them high/medium/low subjectively. This gave us an excellent tool to monitor our situation and communicate it with our stakeholders.

Applying Cynefin

Next, we mapped all of the high risks into the cynefin framework by researching the present state of each, whether best practices were available and relevant, being developed, or still in the experimental stage. This gave us a good idea of which problems we could simply focus on using known techniques and skills against, which ones we needed to take existing decent practices and optimize them, and which problems we needed to experiment with solutions for.

Sharing and Feedback

Overall, the exercise took around an hour to complete once we compiled the basic templates and completed the risk matrix research. For those of you facing complex risk management problems, this workflow might assist. Let me know on social media (@lbhuston) if it provides any help or if you have suggestions and feedback. Thanks for reading!

3 Steps To Increase Cyber Security At Your Dealership

Car dealerships and automotive groups are juicy targets for cybercriminals with their wealth of identity and financial information. Cyber security in many dealerships is lax, and many don’t even have full time IT teams, with even fewer having cybersecurity risk management skills in house. While this is changing, for the better, as dealerships become more data-centric and more automated, many are moving to become more proactive against cybersecurity threats. 

In addition to organized criminals seeking to capture and sell personal information,  global threats stemming from phishing, malware, ransomware and social engineering also plague dealerships. Phishing and ransomware are among the leading causes of financial losses tied to cybersecurity in the dealership space. Even as the federal regulators refine their focus on dealerships as financial institutions, more and more attackers have shifted some of their attention in the automotive sales direction.

Additionally, a short walk through social media doesn’t require much effort to identify dealerships as a common target for consumer anger, frustration and threats. Some of the anger shown toward car dealerships has proven to turn into physical security concerns, while it is almost assured that some of the industry’s network breaches and data breaches can also be tied back to this form of “hacktivism”. In fact, spend some time on Twitter or chat rooms, and you can find conversations and a variety of information of hacking dealership wireless networks and WiFi cameras. These types of cybersecurity incidents are proving to be more and more popular. 

With all of this cybersecurity attention to dealerships, are there any quick wins to be had? We asked our MSI team and the folks we work with at the SecureDrive Alliance that very question. Here’s the best 3 tips they could put forth:

1) Perform a yearly cybersecurity risk assessment – this should be a comprehensive view of your network architecture, security posture, defenses, detection tools, incident response plans and disaster recovery/business continuity plan capabilities. It should include a complete inventory of all PII and threats that your dealership faces. Usually this is combined with penetration testing and vulnerability assessment of your information systems to measure network security and computer security, as well as address issues with applications and social engineering. 

2) Ensure that all customer wireless networks and physical security systems are logically and physically segmented from operations networks – all networks should be hardened in accordance with information security best practices and separated from the networks used for normal operations, especially finance and other PII related processes. Network traffic from the customer wireless networks should only be allowed to traverse the firewall to the Internet, and may even have its own Internet connection such as a cable modem or the like. Cameras and physical security systems should be hardened against attacks and all common credentials and default passwords should be changed. Software updates for all systems should be applied on a regular basis.

3) Train your staff to recognize phishing, eliminate password re-use among systems and applications and reportcybersecurity attacks to the proper team members – your staff is your single best means of detecting cyber threats. The more you train them to identify and resist dangerous behaviors, the stronger your cybersecurity maturity will be. Training staff members to recognize, handle, report and resist cyber risks is one of the strongest value propositions in information security today. The more your team members know about your dealership’s security protocols, service providers and threats, the more effective they can be at protecting the company and themselves. Buidling a training resource center, and setting up a single point of contact for reporting issues, along with sending out email blasts about the latest threats are all great ways to keep your team on top of the issues.

There you have it, three quick and easy wins to help your dealership do the due diligence of keeping things cyber secure. These three basic steps will go a long way to protecting the business, meeting the requirements of your regulatory authority and reduce the chances of substantial harm from cyber attacks. As always, remaining vigilant and attentive can turn the tide. 

If you need any assistance with cybersecurity, risk management, penetration testing or training, MicroSolved and the SecureDrive Alliance are here to help. No matter if you’re a small business or a large auto group, our risk management and information security processes based on the cybersecurity framework from the National Institute of Standards and Technology (NIST) will get you on the road to effective data security. Simply contact MSI via this web form, or the SecureDrive Alliance via our site, and we will be happy to have a no cost, no hassle discussion to see how we can assist you.  

ClawBack For Credit Unions

I got a question recently from one of our Credit Union clients about ClawBack™. They explained that they don’t really do any internal development, so leaking source code was not a concern for them. Based on that, they wondered, would ClawBack still be a useful tool for them?

I pointed out that most larger Credit Unions do some form of development, or at the very least, that their systems admin folks often write (and potentially expose) scripts and other management tools that would be of use to an attacker. However, even if they didn’t do any development at all, leveraging something like the Professional level of ClawBack as a DIY tool ($149.00 per month) is still a good idea.

Further, I explained that source code leaks are only one third of the focus of the ClawBack tool. It also searches for leaked device/application configurations and leaked credentials. Every Credit Union with a network needs to think about leaked device and application configurations. These are the most commonly found items in ClawBack’s history. Whether by accident, or misunderstanding or malicious intent, thousands of leaked configuration files wind up on the Internet in repositories, support forums, answer sites, social media and paste bins. When found, they can provide significant amounts of damaging information to attackers, ranging from logins and passwords to sensitive cryptography and API keys. In some cases, they can be a nearly complete map of the internal network.

Thirdly, ClawBack also focuses on leaked credentials. It can help identify stolen and compromised passwords belonging to members of your organization. Many times, these credentials contain the same or similar passwords as Internet exposed applications, webmail or email access and potentially even weakly secured VPN instances. Stolen and leaked credentials are among the most significant root causes of breaches, business email compromise and a variety of other fraud.

Your CU Security team can add ClawBack to their toolkit for less than $150 per month. It’s simple to use, flexible and an incredibly powerful capability to minimize the damage from data leaks. Check out this less than 8 minute video for more information. If you’d like to discuss ClawBack or our ClawBack Managed and Professional Services, please drop us a line, or give us a call at (614) 351-1237 today.