A recent article by CIPS suggested that cyber-attacks on supply chains are likely to quadruple. A quite scary and astonishing claim. Not because it lacks veracity but for the sheer scale of potential impact. Take the example of the recent zero-day attack of a Kaseya software vulnerability, which could have impacted as many as 1,500 of their clients.
But why this huge increase? I can think of a few reasons:
- The RoI for a hacker is potentially huge. Exploit one vulnerability in one company and gain the ability to drop a ransomware bomb on 100’s of others.
- Your own businesses security may be locked-up tighter than a Fort Knox (a claim made by every InfoSec team, that is rarely true). But can you say the same for every one of 5000, 20000, 50000 suppliers? Highly doubtful. Your company’s security perimeter doesn’t stop at the firewall!
- Large organisation’s may be able to afford highly expensive security but how about that local fabrication shop you get to do your welding? They’re one of those a nice little SMEs, with whom you’re told you must do x% of your total spend and who have fully embraced using your automated Source to Pay system. Can they afford to spend $2,700/employee on cyber-security? Do they even know they have to, or what to spend it on? Probably not. Historically, SMEs may not have been worth a hacker’s time but if they can be exploited to gain access to much larger organisations then, hell yes, it is.
- Procurement teams embracing automation tools mean that they are at the centre of an interconnected world. Your payment system may connect to thousands of suppliers. You’re using e-auction and e-rfx tools. Or how about that catalogue management software. All possible attack vectors.
The trouble with this is, all those potential attack vectors that sit outside of the responsibility of your own Info Security team. It becomes part of an overall Supplier Risk Management strategy that sits very firmly in the bailiwick of the Supply Chain team. Ouch!
It’s not an insurmountable problem though. Many companies are used to looking for Indicators of Compromise (IOC), but defence in depth means also considering Indicators of Exposure. Prevention is better than cure and in narrowing-down the chance of attack by understanding the potential exposures in your supply chain, you will reduce the need for costly event management.