The WannaCry cyberattack from earlier this month serves as the latest reminder of the threats faced by organizations in today's marketplace. Malicious actors are becoming increasingly sophisticated, and their reach extends to every corner of the globe.
Additionally, the threat is real regardless of an organization's size or profile. For instance, many small and medium sized businesses rely on the concept of "security through obscurity", as they wrongly assume that they are not important enough to be targeted by hackers.
In reality, quite the opposite is true. Today's attackers anticipate that these companies, such the famed German Mittelstand, do not take security seriously – making them attractive targets because of a higher likelihood of success and decreased chances that their attacks are detected.
Supply chains bring added risk and complexity
Additionally, companies today are dealing with an even greater vulnerability arising from their growing supply chains. For instance, it's well known that products built across the Mittelstand and other key industrial areas are both sourced from and sold around the world. Unfortunately, these integrated networks exponentially increase the target surface area of a given company and epitomise the saying that a "chain is only as strong as its weakest link."
This type of vulnerability is not theoretical. US retailer Target suffered a massive data breach over the Black Friday weekend in 2013. Hackers found their way into the company's network by compromising a third-party vendor. The attackers used login details from refrigeration contractor Fazio Mechanical to breach Target's internal defenses. The attackers were able to steal the credit and debit card details from more than 40 million customers. Similar third-party breaches also occurred more recently at Home Depot, Citroën, and T-Mobile.
Governments are not offering much guidance to companies trying to protect their supply chains. In fact, data protection regulations around the world purposely leave a great deal of discretion to the company via catch-all phrases such as "use appropriate technological, administrative, and physical controls" to protect company data.
Very few get into any details regarding supply chains or associated parties. For example, controllers of information are required by European data protection regulations to certify that third parties who share access to data (or process the data) have adequate privacy and security policies in place.
There are specific compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) Version 3.0. PCI DSS directly addresses the issue of third parties and the supply chain for firms in the payment industry, but it is more the exception than the rule.
The stakes are increasingly being raised. The onus is being placed on companies to identify and report such acts in an expeditious manner. For example, the recently approved General Data Protection Regulation (GDPR) establishes a 72-hour window for breach notification.
Firms are dealing with difficult choices arising from an increasingly dynamic threat profile in the face of increased responsibilities and ambiguous regulatory guidance. On the one hand, if they choose to use integrated supply chains then they open themselves up to significant financial and reputational risks associated with any breach. On the other hand, if they cut themselves off from the global economy then they will eventually lose out from an optimisation and competitive standpoint.
While this state of affairs is certainly daunting, it is far from hopeless. In fact, there are a few key steps that a company can take.
First, a company needs to conduct a thorough risk assessment of its own information security policies, software programs, and hardware infrastructure before it can begin thinking about protecting its supply chain. The goal is to identify relevant threat vectors, gaps, and vulnerabilities.
New threats emerge daily and it is impossible to keep a company's firewall current, though company software programs should always be up to date. Firms should look to use detection tools that are both comprehensive and surgical. State-of-the-art tools need to incorporate detection algorithms across the supply chain capable of identifying, detecting, and mitigating unknown unknowns, i.e. zero day threats.
Once a firm has its own house in order, it must vet all potential partners and vendors with the same level of vigor. This involves ensuring that firms have documented information management and security procedures as well as adequate physical security.
This also involves avoiding using programs and firmware that may have been corrupted during the procurement process, and do not work with any partners or vendors who may be compromised. It is worth noting that this is a challenging endeavor for any company, but even more so for smaller firms that have limited bandwidth and in-house expertise.
At this point, the firm will need to secure and protect the connections to its partners up and downstream through options such as secure Application Programming Interfaces (APIs) or credentialed account authorisations that are designed to enable third-party remote access.
Despite these efforts, there is no perfect security solution for a given company, let alone an integrated supply chain that spans a continent or the globe. However, taking adequate precautions and using state of the art technology can decrease the likelihood of a breach and increase the chances that a firm can detect and mitigate the threat in short order, enabling the company to compete in today's digitised marketplace on even terms.
Mark Gazit is the CEO of Israeli big data analytics company ThetaRay. Ulf Gartzke is managing partner at Spitzberg Partners in New York.