Supply Chain Security: Why Businesses Need to Take Action Against Sophisticated Cyber Threats
Businesses of all sizes face cyber threats, and supply chain attacks are becoming increasingly sophisticated. A recent example, provided by SANS Institute Director of Emerging Security Trends John Pescatore, involved a procurement manager at a mid-size company who received a text message from the CEO offering a 30% discount if they paid their invoice by Friday. Despite being suspicious, the manager wired the money after receiving a voicemail from the CEO. It turned out to be a phishing scheme, with a bad actor manipulating the CEO’s voice to trick the manager into sending money to a fake bank account. Supply chain attacks occur when an attacker infiltrates a system through an outside vendor, and they are expected to continue. In 2022, the number of compromises resulting from supply chain attacks exceeded those linked to malware, according to the Identity Theft Resource Center.
It is crucial to take supply chain security seriously and take the steps to prevent attacks. Companies are often so focused on protecting their products that they forget that tech is part of their supply chain. From ERPs to digital tools that simplify payroll, companies could be using hundreds of different software applications, and each is a point of vulnerability. Procurement teams should have a good grasp of each tech provider a company uses, including whether they are legitimate. Procurement should also add cybersecurity to supplier contracts by requiring suppliers to test the product for vulnerabilities before they are shipped out. Businesses should train and empower employees outside procurement to understand the importance of cybersecurity. Risk rating companies can allow business managers to grade the security of whatever tech they’re about to purchase using publicly-available data. Ultimately, communication and collaboration across business departments, especially between IT and procurement, is crucial to ensure systems are secure, cost-efficient, and provide value.
Source: https://www.supplychaindive.com/news/supply-chain-cybersecurity-risks-what-to-know/647597/
Here are some general steps that your business can take to improve their cybersecurity posture:
- Conduct a cybersecurity risk assessment: A risk assessment will help identify potential vulnerabilities and threats to your organization’s data and IT systems.
- Develop a cybersecurity plan: Once you have identified potential risks, develop a plan that outlines how your organization will manage those risks. This plan should include specific policies and procedures that employees should follow to protect sensitive data.
- Train your employees: Your employees are often the weakest link in your organization’s cybersecurity posture. Train them on how to recognize and respond to potential attacks such as phishing emails, social engineering, and other common tactics used by hackers.
- Implement strong passwords: Require employees to use strong passwords that are difficult to guess. Consider using multi-factor authentication as an added layer of security.
- Keep software up to date: Ensure that all software, including operating systems and applications, are updated regularly with the latest security patches and updates.
- Backup important data: Regularly backup important data and store it in a secure location to prevent loss in the event of a cyber attack.
- Use encryption: Encrypt sensitive data when it is in transit (e.g. email) or stored on devices (e.g. laptops, USB drives) to prevent unauthorized access.
- Monitor your network: Use security tools to monitor your network for any suspicious activity, such as unauthorized access or data exfiltration.
- Have an incident response plan: Develop a plan for how your organization will respond to a cybersecurity incident. This plan should include steps for containing the incident, investigating the root cause, and notifying any affected parties.
