Many organisations and supply chain experts are concerned about cyber security. The risks stemming from supply chain cyber threats are real. In fact, the danger is more frightening and potentially harmful than we realise. Here’s why.
Assessing cyber supply chain security vulnerabilities
Experts on cybersecurity and supply chain management (SCM) like to draw attention to the fact that operating systems are only as strong as their “weakest link.” The “weakest link” argument is evoked with good reason when discussing risk management, says Katherine Barrios, chief marketing officer at Xeneta.
It does not matter how strong your network security is — if there is fragility within it, that’s all that matters, that’s all it takes. Whether the vulnerability stems from poor internal security control or external danger, a compromised link can put the entire global supply chain at risk.
The vulnerability of the supply chain in the midst of the biggest cyber security breach to hit the shipping industry – the breach on Danish maritime giant AP Moller-Maersk’s information technology systems in June 2017- is nerve-racking to say the least. The breach is still causing the international shipping industry to reel.
From one ransomware attack (a variant of “Petya,” originating from a malicious Ukrainian software update, plus phishing emails), near catastrophic failure of global supply chain systems resulted. Terminals in the ports of New York, New Jersey, Miami, Los Angeles and Rotterdam were closed. Terminals operated by Maersk Line, such as the Jawaharlal Nehru Port Trust near Mumbai, India’s biggest container port, couldn’t load or unload because they were unable to track the origins of shipments.
The Port of Gothenburg and many other ports reverted to manual processing for several hours. A freeze on deliveries at the South Florida Container Terminal caused retailers’ orders (including some critical goods) to be delayed.
The backlog of containers continues. Reputational impact on Maersk is high. The financial loss from disrupted production and deliveries of goods to customers in several countries for many companies is too costly to enumerate at this point.
Given that 90% of world trade is transported by sea (Maersk runs close to 600 container vessels and 25% of containers shipped to and from Asia and Europe) (Jacob Gronholt-Pedersen, “Maersk says global IT breakdown caused by cyber attack” Reuters.com), the impact from such a digital disruption in the communication systems of an increasingly interdependent and complex supply chain is far-reaching. Reuters, “Global shipping giant Maersk is reeling from the ransomware fallout,” Fortune.
“Not to overstate it, but there’s a lot of truth to the idea that networked models of security ‘are only as strong as the weakest link,’” writes Paul Martyn, “Risky business: Cybersecurity and supply chain management,” Forbes. “And because big business will continue to outsource and pursue new markets of customers and supply, the scope of the problem is exploding.”
In almost every industry, companies are more dependent than ever upon suppliers, intermediaries, cloud- based communication systems, third-party service providers and vendors in the supply chain network. “The demand for constant online communication creates enormous opportunities for hackers to exploit weak vendor security practices as a point of entry into their ultimate target,” added Steve Bridges, senior vice president of JLT Speciality, an insurance brokerage firm focusing on cyber insurance (Martyn, “Risky Business.”).
It was through one of Target’s vendors – a HVAC company –that a hacker was able to infiltrate the system causing “the nightmare before Christmas” for the retailer and its customers (stolen credit card and debit card information of up to 70 million people) in 2013 (Maggie McGrath, “Target data breach spilled info on as many as 70 million customers,” Forbes.)
The role and risk of vendors in security lapses in the supply chain were further highlighted by the recent data breach at Verizon, the US’s largest wireless communications carrier. Verizon had been employing Israeli-based telephonic software and data firm, NICE Systems to carry out customer service analytics. The incident was discovered in late June 2017.
An employee from NICE Systems had left the data of millions of customers exposed on an unsecured Amazon server for the previous six months. (Todd Haselton, “Verizon responds to breach that affected millions of customer accounts,” CNBC.)
Both buyer and vendor face potential disaster in the supply chain ecosystem. A weighty burden has been placed on buyers to ensure extreme thresholds of security from all vendor partners. In turn, vendors are at constant risk of legal liability from customers should a security problem be traceable to them. (Martyn, “Risky Business.”)
Part 2 continues tomorrow….
The author of this blog is Katherine Barrios, chief marketing officer at Xeneta