“We are continually shaped by the forces of coincidence.” The words of American writer Paul Auster certainly rang true with me last week: as I prepared to facilitate an online session on cyber security and risk management with an SCM World community member, the company’s IT network was hit by the Petya ransomware attack, leaving many staff without access to their computers.
Discussion questions submitted in advance by participants included one that specifically called out the threat posed by ransomware, following the WannaCry incident in May, while another asked “How robust are our business continuity plans in case a cyber-attack happens?” Well, by now they should have their answer.
In another coincidence, on the same day the Business Continuity Institute (BCI), a global body for “resilience professionals” based in the UK, published its annual Cyber Resilience Report. The BCI’s survey of more than 700 business continuity, risk management, IT security and other specialists found that ransomware is now a top 5 cause of cyber disruption. In fact, 18% of respondents said their organizations had been affected by it during the past year.
Don’t Overlook the Supply Chain
The BCI report notes that the most common methods of building resilience against ransomware attacks, as with phishing, spear phishing, malware and other major cyber threats, are anti-virus software, dedicated IT security teams and network monitoring. But while these are all vital defensive measures, the report concedes that “most of these efforts remain internally focused at present.”
It continues: “Given the crucial role of supply chains, it is vital that organizations are aware of their suppliers’ cyber resilience.” Almost two-thirds of BCI members say they are worried about data breaches and business disruptions that stem from weaknesses in suppliers’ IT systems.
Supply chain professionals are equally worried. SCM World’s own data from 2016 shows that cyber threats are the number one risk category, with a majority across all industry sectors at least “somewhat concerned.” More than one-third of respondents from media & telecommunications, energy, hi-tech, healthcare & pharmaceuticals and logistics firms report being “very concerned.”
I would bet money on those figures being even higher if we re-ran that survey question today, such is our tendency as human beings to assess risk levels according to the scale of recent events.
A Multi-Threat Landscape
Being locked out of our laptops for a period of time is, of course, just one of many forms of cyber disruption. Our recent report on digital supply chain security described a complex landscape in which risks include physical interference to infrastructure and products, the theft of valuable intellectual property, and intrusions into customer privacy via external suppliers – as was the case at US retailer Target in 2013, for example.
Consumer goods manufacturer Reckitt Benckiser announced this week that the latest ransomware attack had disrupted its manufacturing and ordering systems, leaving the company unable to fulfil some customer orders. It warned that “continued production difficulties in some factories mean that we also expect to lose some further revenue permanently”.
The risk of physical disruption, is magnified by the growth in products and equipment that incorporate both hardware and software components, and the fact that more and more of these are internet-enabled. These developments are blurring the lines between operational technology and physical security on the one hand, and information technology and data security on the other (see graphic).
While the latter is primarily the responsibility of IT and information security departments, supply chain leaders and their teams have a clear role to play in developing cyber resilience across their extended networks. Practical steps might include:
- Raising awareness of digital security issues within the supply chain organization.
- Helping IT security colleagues to understand the supply chain dimensions (most don’t today).
- Mapping the digital supply chain and classifying supply chain data according to its sensitivity and business impact.
- Designing governance mechanisms and appropriate controls for suppliers using existing best-practice standards (for more on this, see my previous blog).
- Specifying digital security requirements in RFPs, pre-award supplier due diligence and contracts.
- Using online and onsite audits, simulations and drills with key suppliers to test how well business continuity plans might work during a cyber incident.
Last week’s ransomware attack provided several companies with a live example to work with, and gave others a reason to step up their cyber-security investments.
In doing so, they need to make sure they focus not only on shoring up their internal networks, but also on building greater resilience into their external ones too.