Last year was a smash hit for hackers, as millions fell victim to cyberattacks and ransomware — including 48 million individuals in manufacturing and utilities alone. Enterprise supply chains were particularly vulnerable, with over 95% of firms facing attacks in 2021.

Cyberattacks often result in lost or compromised data, and companies are at risk of being targeted at any time. According to the Veeam Data Protection Trends Report 2022, nearly 90% of enterprises today are at risk of losing precious data, with 76% reporting at least one ransomware event within the past 12 months, and over 90% unable to recover some of their lost data.

What does this mean for supply chains? Essentially, when supply chains are attacked, all corporate functions are threatened, including transportation, vendor management, sourcing, supply chain continuity and quality, and many other functions that require a coordinated effort to be resolved. The ongoing barrage of cyberattacks across industries has left organizations facing trickle-down effects that will have an impact for years to come.

For instance, a payroll and staffing company spent over a month cleaning up following an attack, subsequently delaying employee payroll. And just last December, a Colorado energy company lost 25 years’ worth of data after an attack took down 90% of its internal systems.

Lacking proper data backup and the demonstrated ability to restore it, these companies not only lost invaluable data and time, but also potentially the trust of employees, consumers, shareholders, and board members. If businesses want to protect their people, they must start by protecting their data. So what can they do to get ahead of cyberattacks and ensure that their data, employees and customers aren’t impacted long term?

Zero Trust

According to IBM, the average cost of a data breach surpasses $4.2 million. In today’s dynamic cyberthreat landscape, it is unrealistic to continue ignoring prevention in favor of the cure. With the growing popularity or zero trust architectures, it’s time that companies start adapting their legacy systems to match the threats they face.

Take preventive measures to defend your attack surfaces. Implement security requirements in every contract and agreement you sign, including signaling potential vulnerabilities and predetermining responses to breaches. Supply chain vendors should be pre-assessed for their security measures to confirm that they’re are up to standard. Vendors should work with your security team virtually and on site to address any security gaps, and software and hardware should require authentication for access to a limited few.

Adopt systems to identify, track, and trace all components of your organization’s supply chain seamlessly. According to Blue Voyant, four in five firms have suffered a cybersecurity breach caused by a third-party vendor. By investing in the right technologies and automating manufacturing and testing sites, you can eliminate the possibility of human error. A company’s security hygiene doesn’t stop at its devices or vendors; zero trust can ensure that all steps of a supply chain, from manufacturing to implementing, are secure from incidental or intentional harm.

A Security-First Philosophy 

A security-first approach that encompasses the culture and mindset of the company is the best way to successfully cover a supply-side attack surface. Once you embed a cautious and security-oriented focus in your employees, and provide the appropriate tools and training, security can be streamlined to fit into every department. This secures all open touchpoints that can access your company’s supply chains, and ensures a secure supply chain in the long run.

Introduce regular security training, awareness, and supply chain development programs to your employees, so that everyone fosters a healthy security hygiene. Host tabletop exercises and simulate phishing attacks so that your employees can demonstrate their capacity to respond in such cases. Use monitoring tools to identify your supply chain and security employees’ strengths and weaknesses, and help them to overcome these weaknesses. In the meantime, adjust your security accordingly to cover all attack surfaces. If these align with your third-party vendors’ approaches, all the better, as your perspective and approach to security will be mutual.

There will always be threats that change, adapt and penetrate layers of security. If the culture and philosophy of a company instills a sense of skepticism and deep knowledge of security in employees, these threats can be promptly spotted and resolved, thereby protecting the entire company.

No one is 100% immune to danger or disaster — even Sparta had its bad days. Your enterprise should adopt a defense strategy to protect customers and projects if things go wrong. Unfortunately, not enough people are taking action to protect their supply chains when they do.

Cloud service providers (CSPs) can expand the focus to include data backup and recovery. They should introduce automated backup tools and measures that keep customers on track when the inevitable befalls them. A business has a responsibility to its clients and their data to ensuring system recovery against disaster. Implement disaster recovery planning across your departments, and ensure these are regularly updated to anticipate all eventualities and cover all attack surfaces. While cost-intensive, the return on investment will be evident when disaster strikes.

Every business needs a plan that stands up to the rigors that system outages and data loss can bring. Investing in protection will ensure data availability. In an increasingly competitive cloud market, this is no longer a tentative option, but a crucial next step — the last line of defense for business continuity.

There’s no guarantee that a company can completely protect its supply chain from being compromised. Such threats make it a necessity to practice good security hygiene, embrace a security-first mindset, assume you’re operating in a state of perpetual compromise, and implement a data recovery plan. Without these defense measures securing an organization from top to bottom, you can expect a lot more than “trickle-down” consequences and a few million victims.

Gil Vega is chief information security officer at Veeam.