Cyberattacks are impacting suppliers at record rates. Attacks on supply chain organizations increased by 51% in the second half of 2021, with the number continuing to grow. Cybercriminals are targeting suppliers not only to steal their information, but also to search for and pinpoint holes in their partners, thus spreading the damage beyond a single company. 

Supply chain companies can proactively prepare for and prevent cyberattacks, and respond if vulnerabilities are detected, with the help of pen testing as a service (PtaaS). Pen testing, short for penetration testing, is a simulated cyberattack on one’s own systems, to check for vulnerabilities that can be exploited by hackers.

What can suppliers do when the worst happens? Eighty-two percent of chief information officers believe their software supply chains are vulnerable to attack, according to Venafi. Cybercriminals get smarter as technology evolves, and the battle will continue to progress in complexity.

Following are some ways to save your company’s data and mitigate the potential damage a breach can hold:

First, assess how big the breach was. Create a checklist of critical questions that need immediate answers such as: How much was stolen? How did the criminal gain access to the data? Which organizations can now also be breached with the affected data? Once the scope of the breach is identified, a company and customer-wide response can be created. 

Second, respond immediately to affected parties. Communicate what happened, what the business is working on to address the breach and ensure this never happens again. No matter the industry, it’s critical to remain transparent about the level of the breach, as we know any threat to personal information often sparks high concerns. When it comes to suppliers, this list can also be clients or partners that could have possibly had their companies breached.

Lastly, make immediate protocol and company policy changes to follow through on promises to strengthen cybersecurity. This includes running more consistent pen tests to ensure the new cybersecurity protocols work, making sure that sensitive data is secure from multiple types of threats. The goal after an attack is to ensure it doesn’t happen again and to regain the trust of your employees, customers, partners and other critical stakeholders. 

Proactivity Is Key

According to The University of Maryland, a cyberattack occurs every 39 seconds. It’s the companies who constantly and proactively monitor their security posture that succeed in the end, especially with suppliers. Having an internal team solely dedicated to finding all the vulnerabilities can be the make-or-break to company success, but can be highly expensive, and the company will have to compete for the shrinking number of security professionals on the market. With today’s tight market, a dedicated cybersecurity team might be off the table for organizations with restrictive budgets, especially as the shortage is hitting all industries.

Business logistics costs have risen 22% throughout 2021, according to the Council of Supply Chain Management Professionals, making budgets even tighter than normal. Budget restrictions are also hitting cybersecurity professionals, especially when it comes to labor, as 94% of cybersecurity professionals are currently affected by labor shortages, according to the State of Pentesting Report. When looking at the best security solution, here is what you should look out for:

First, re-evaluate cybersecurity practices from the bottom up — even the most basic mistakes like repeating passwords and unencrypted storage. According to ProofPoint, more than 80% of businesses are intruded by compromised suppliers each month, so suppliers need to be extra attentive to their cybersecurity posture. Is there someone at your organization who has access to sensitive files on a personal device? If you’re using a cloud infrastructure, has it been properly configured? Is your storage properly encrypted? Is there a partner or client that data could potentially be stolen from? These are the types of simple questions that business leaders must ask their employees constantly, as a majority of high-profile hacks are due to weak passwords and unsecured documents.

Second, when was the last time a pen test was conducted on your organization? Pen tests can find security vulnerabilities, flaws and holes to improve an organization’s entire security posture. The supply chain industry is especially vulnerable to cyberattacks, as cybercriminals see this sector as a door to deploying a one-to-many attack, where they can gain the information of hundreds or thousands of organizations, all while only breaching a singular point. While many decide to have an internal pen tester, using a pen testing-as-a-service (PtaaS) provider allows an unbiased third party to analyze an organization’s security posture. PtaaS also brings agility and flexibility into a testing suite, allowing for more accurate and precise tests versus traditional pen testing practices.

After implementing a pen testing service, it’s likely the pen testers will find one, if not many, security vulnerabilities which could result in a breach. This is nothing to be afraid of, as the pen tester will showcase what to do and how to fix these potential issues in addition to identification. PtaaS provides detailed reports anyone can understand, with numbers on how likely a breach is to occur, and what exactly can be done to fix said security holes. Your internal security team can then collaborate in real time with the lead pen tester to properly implement the security fixes, giving your security team third-party insight that traditional pen testing doesn’t offer. Vulnerabilities are likely to pop up again, so having regular pen testing is the best way to make sure the business is safe from hackers and cybercriminals.

Cobalt’s 2022 State of Pentesting Report has found that 66% of security teams struggle to maintain high-security standards due to a lack of team members amid the ongoing talent shortage of security professionals. This lack of professionals is making it harder for even organizations that could afford a large internal cybersecurity team to gain the talent necessary to properly facilitate one. Many companies are turning to PtaaS platforms to receive unbiased, consistent, and frequent pen tests. PtaaS allows for organizations to produce leaner teams internally, while not compromising on their cybersecurity. With PtaaS, organizations no longer need to worry about actively pen testing themselves, as pen tests are automated regularly in the background of other business operations. Cybersecurity professionals can focus on upgrading and maintaining the business, while the external PtaaS group can focus on ensuring there aren’t any additional vulnerabilities popping up within your organization. Supply chain attacks are becoming more and more frequent, so cybersecurity management and frequent testing are now vital for all companies and workers.

The Secret to Proper Security

Proper business security and protection lies in the hands of strong pen testing processes. Routine pen testing ensures that suppliers’ walls are secure and working to block potential attackers. Many organizations are foregoing internal pen testers, as it might not be feasible for every organization to hire a large internal group of security professionals due to time or cost.

Think of pen testing services as ethical hacking. A pen tester will play the role of a potential cybercriminal and try to breach the client organization from various aspects. They will assess what potential security vulnerabilities might be in place within a current cybersecurity posture, as they look to harden and improve the security of their clients. Each pen test will give an organization a detailed assessment and analysis of their current security posture and include next steps on what an organization should do next to further improve their security. The pen tester will show you where malicious actors will try to breach your systems, and how to create an environment where they’ll have a hard time trying in the future. PtaaS not only offers a third-party insight, but allows for more frequent tests to continue to keep up with the ever-evolving breaching tactics.

It’s time to take what you learned from your pen tests to invest in your cybersecurity. PtaaS’s collaborative, speedy and standardized delivery has shown that cybersecurity doesn’t have to be a burden to suppliers. Suppliers are targeted frequently by hackers due to the possibility of breaching multiple organizations at once. Communicating with your pen testers helps provide your cybersecurity team with valuable insight on where to prioritize resources, which tools need to be invested in, and what everyone in the organization can do to help prevent cyberattacks. Suppliers need to make sure not only that they’re personally safe, but also that the protection of their partners’ information is secure.

Jay Paz is senior director of delivery with Cobalt.