Cybersecurity risks are rising fast, and it’s not enough for you to secure your data and IT systems within the four walls of your enterprise; you need to make sure your suppliers are not exposing you to attacks as well.

That was the message from Adam Isles from security and risk advisors Chertoff Group at the NRF SC360 conference in Cleveland in June.

Ransomware has “metastasized,” for example, with reported attacks doubling from 2020 to 2021, Isles said. A typical attack now necessitates payments of seven or eight figures, not to mention the compromise of sensitive information and loss of reputation.

Further, the effect of the COVID-19 pandemic has weakened security at many businesses – both because the “great resignation” has meant an increase in former employees who still have access to confidential information and passcodes, and because working remotely from home almost inevitably means using hardware and systems that are not as protected as they are within an office.

The Russian invasion of Ukraine, also, has had an impact. “It was supposed to be a localized incursion,” said Isles. “Instead, it’s turned into an all-out war and re-alignment of political and economic interests.”

With the naturally tendency of supply chain management to involve multiple parties, geographically dispersed, the industry is especially vulnerable to disruptions caused by cyberattacks.

The threat is real, and growing

Among the most high-profile cyberattacks have been ones on the top four ocean carriers. When Maersk suffered a cyberattack in 2017 from the NotPetya ransomware, the company's entire network was brought down for days, and operations had to be halted at 76 port terminals globally. Since then, the Mediterranean Shipping Company, COSCO, and CMA CGM have all also been hit by attacks. 

A recent CNBC news feature warned that hackers can now bring ships and planes to a grinding halt, and it could become much more common. Further, a recent report from maritime cybersecurity company CyberOwl, maritime innovation agency Thetius, and law firm HFW, found that 44% of industry professionals said their organization had been the subject of a cyberattack in the last three years. The report’s authors urged shipping companies to develop minimum security standards for suppliers and partners, and warned that only 55% of suppliers they surveyed reported being regularly asked by customers to prove they have cyber-risk management procedures in place.

“As with any sector that relies on heavy assets, maritime is deeply dependent on its supply chain. The industry has made great strides in changing attitudes to cybersecurity, but without the proper controls in place throughout its supply chain, it remains highly vulnerable. In addition to the suppliers themselves, the equipment that is installed on vessels needs special consideration,” the report concluded.

It's not just transportation providers that need to worry, of course, and the bills are piling up. CNA Financial paid $40 million in ransom after a March 2021 cyberattack that scuppered its corporate email, rendered its website useless and exposed sensitive information of 75,000 employees, contractors and policyholders. 

The perpetrators are getting increasingly sophisticated, warned Isles. “The bad guys operate like a software company. They have development teams and call centers,” he said. For some, their only job is to get initial access, which they then sell on to other bad guys who then conduct the actual attack.

The dark web is rife with illegally appropriated information that makes companies and individuals vulnerable. According to GeekFlare.com, cyber criminals added over 22 billion new records for sale in 2020 alone on the black market. And the price of an email database with up to 4.78 million emails can go for as low as $10.

Backups are not enough

Isles was very clear that simply backing up all your data and systems in the cloud is not enough these days to mitigate cyber risks. Recovery often takes extended periods of time. Although well-resourced companies are now fighting back and paying less often, the average down-time is rising – it’s currently 26 days, up 30% from Q4 2021, Isles said. And, critically, once sensitive information has been plundered, there’s no way of securing it again.

There’s been a massive increase in the complexity of the IT environment, Isles said. Just in terms of software, the average car has millions of lines of code. And the sheer volume of data being stored remotely in the cloud by services increases vulnerabilities. Amazon Web Services alone stored 100 trillion objects in 2021, up from 4 trillion in 2012. “The bad guys know this and exploit weaknesses in commonly used business software,” he said.

As more and more businesses recognize the need to ensure their suppliers are meeting regulatory and social responsibilities, lest the taint of child labor or sanctions-busting blow back on them, the same consideration should be given to cybersecurity when vetting and dealing with supply chain partners, Isles advised. 

But he had a grim warning: all companies with significant revenue should assume they will be targeted at some point in the near future. Best to get ahead of this now, and figure out your cyber-risk mitigation strategy, across your entire supply chain.