The Colonial Pipeline, SolarWinds, and Microsoft Exchange cyber breaches are the latest vivid reminders that cybersecurity is a core supply chain issue and a threat that is growing in frequency and impact. Colonial Pipeline epitomizes supply chains in the truest sense, providing 45 percent of the fuel to the East Coast of the U.S. SolarWinds had its software development supply chain compromised, affecting an update to 18,000 users of its network management software, including several key U.S. government agencies. Meanwhile, the Microsoft Exchange attack affected at least 30,000 users.
These are perfect examples of why supply chain cybersecurity is so critical. Hackers are systematically disrupting organizations directly and using indirect supply chain companies as a gateway to access high-value targets.
All this is taking place at a time of workplace disruption driven by the COVID-19 pandemic. Companies are accelerating their digital transformation to build greater visibility, agility, and resilience into how they go to market and meet the needs of their customers. More critical data is being shared every day in far-reaching global supply chains. All companies today are connected. No company is, nor can be, an information castle surrounded by an impenetrable moat.
SolarWinds is an ugly reminder that if the companies in your ecosystem are vulnerable, you are vulnerable too. From this moment on, you should never again think about cybersecurity without considering third-party risk. And conversely, the companies in your supply chain, even small ones, should never think they’re safe because you “don’t have anything hackers would want.”
In today’s inter-connected increasingly digital supply chain world, every organization of any size is a potential target. Hackers will try to go through you to get to another company and they will try to go through your customers or suppliers to get to you. The whole situation is made much more complicated because of new hybrid business models. Your employees may be rotating from home to office, using different devices and connections. Although you may feel you have the situation under control, what about your suppliers, partners, and other third parties in your supply chain?
For large companies, here are some basic steps you should immediately take with your supply chain stakeholders to help them protect themselves and ultimately protect you.
First and foremost, you should ensure that you and every company in your supply chain has an incident response plan that includes regularly scheduled backups of critical data. As the Colonial incident highlights, knowing what to do during and after an event—and having essential data backed up in the case of a ransomware attack—could mean the difference between a major blow to your business and a mild annoyance.
To help implement this and other actions, the companies in your supply chain should have a designated, trained Cyber Leader. A person that is responsible for building a culture of cybersecurity by focusing on human behavior. They don’t need to be technology experts. They need to be able to communicate how important it is for everyone to develop good cyber habits. They need to make sure that the company puts some simple policies in place around four core issues:
- Passphrases: encourage them to change passwords to 15-character passphrases. It has been reported that some employees at SolarWinds were using “solarwinds123” as their password. Don’t make it easy for hackers to crack your passwords. Any 8-character password can be hacked in 3 minutes, but a 13-character password takes 5.2 million years.
- Multi-factor authentication: Use it any time it is offered. If it is not offered, consider switching to a software or service that does offer it.
- Phishing: Have them conduct refresher training for employees on how to spot a phishing email or text. The email may even look like it is coming from another person in their company or your company. Reinforce the message to never open an attachment or link if at all suspicious. Tell them to contact the sender through alternative channels to verify it is real.
- Devices: Encourage third parties to review what devices their employees are using to connect to their network or your network. If they are using personal devices, make sure they follow the rules about passphrases and multi-factor authentication. Avoid the use of USBs and removable media.
These basic things and other recommendations developed jointly by the Digital Supply Chain Institute (DSCI) and the Cyber Readiness Institute (CRI) can help you begin fortifying your security and that of your supply chain by building an operating culture of cybersecurity. Start today by raising awareness among your third parties. Push them to develop good cyber habits. It is critical to your company and every company you touch. By working together, we can improve cybersecurity for all.
Craig Moss is Executive Vice President of Ethisphere. He is also Director of Change Management for the Digital Supply Chain Institute and Director of Content for the Cyber Readiness Institute.
Christopher G. Caine is President of the Center for Global Enterprise, a New York-based non-profit organization dedicated to the study of the contemporary corporation in the era of global economic integration. He is also President & CEO of Mercator XXI, a professional services firm helping clients engage the global economy.