Supply chain is a like house of cards. A cyber-attack on one can bring the others down
Never before have supply chains been so interconnected. Now the fallout from a cyber-attack can spread fast and wide. That was proved in 2019 when cyber-attacks brought one of Australia's largest players to its knees in a matter of hours. The effects rippled up and down the supply stream, impacting the flow of products.
What happened in 2019 can happen to all. Now, everyone in logistics is open to cyber-attack because the drivers of supply chain efficiency - data and connectivity - are also key attack vectors.
Most organisations aren't fully prepared for an attack. If cyber-security isn't front and centre in your supply chain strategy, you'll most likely pay the consequences.
Multiple threats, multiple fronts
The increasingly digital nature of the industry means that more parts of the supply chain connect to each other, with data as the common thread.
This interdependence offers more avenues of attack. Having linked systems, networks, databases and devices in your organisation can also create opportunities for an attack to spread. These then multiply as you connect to your partners, who in turn connect to their partners.
Interdependence also makes supply chain a high-value target for ransomware, business disruption, and data theft. Cyber-criminals have recognised the importance of the supply chain. Organisations must too - and not just those in logistics. Attacks on the supply chain are everybody's problem.
Awareness is the first step
Every organisation must ratchet up awareness of cyber-threats and its seriousness. You need to take the position that a cyber-attack is a matter of when, not if.
This awareness has to permeate all levels of the organisation. Cyber-security is not just a technology issue for IT and security departments, it covers your business processes and all the people involved with them.
The attitude of the senior leadership is vital. The board and senior executives must understand the gravity of threats so they can mitigate security risks to protect profitability.
From here it's essential to invest in a solid security strategy. And since threats are wide and varied, your strategy should be holistic in approach.
Understand the criticality of your information
Define your information assets and their importance to your organisation. How critical is it that an information asset remains confidential? That it retains integrity? And that it remains available?
The Telstra 'five knows of cyber-security' can be applied here: know the value of your data; know where your data is located; know who has access to your data; know who's protecting your data; and know how well your data is protected.
Apply a least privilege model
Based on the criticality of each information asset, you can address the question of who should have access to it and who shouldn’t. Least privilege is the way to go - only give users access to information they need to perform their role.
The same applies to your supply chain partners. For example, make sure your critical data is quarantined and partners only have access to what they need.
Recovery is as vital as prevention
Understanding the criticality of information will help you create a business continuity plan. This can prioritise the recovery of your business systems, as well as the systems that support information flows through your business systems.
The recovery of each system contributes to your business continuity plan. But you need to look beyond the recovery of individual systems to include your wider business processes and the failover methods necessary for resilience.
A business continuity plan also lets you create hypothetical scenarios. You can work out how to recover systems without the pressure of an actual incident when emotion and panic can cloud decision making.
Above all, test and re-test your plan. Do dry runs of what could happen. You hear of airline companies where CEOs regularly bring in the senior team to role-play a crash. The industry needs to take cyber-attack exercises to this level of seriousness.
Define a policy for supply chain partners
A security breach in one of your partners - or one of their partners - can flow on to you. You should have a supply chain policy and an information sharing process that is contractually agreed to with your partners.
The policy should address supply chain risk management between your companies, guidelines on how they store your data, how they access your data, and a plan to minimise damage if an exposure occurs.
Just like your own security measures, you should monitor their security posture with third-party risk audits on a regular basis and factor that in to your business continuity strategy.
Now is the time to take action
The increasing digitisation of supply chain brings an increase in attack surface for cyber-criminals to exploit. Perhaps the wisest course is for major players to create a minimum industry standard for cyber-security. Until that happens, it's up to each organisation to take responsibility for itself, with the knowledge that what affects one, can affect us all.
From the Telstra Purple Team:
Telstra Purple was named Leader in the 2021 ISG Provider Lens Quadrant for Technical Security Services. Our security team can assist you with multiple aspects of cyber-security including:
- Governance - what to do?
- Risk - why it needs to be done
- Solutions - how it is done?
- Assurance - is it done?