Supply chain risks are high profile, and several have triggered global news coverage. The problem is that there is still too little being done about it.
SolarWinds was the highest-profile and was, according to many, the perfect third-party supply chain attack. It reflected new patience among hackers, who infiltrated the Texas-based company and sent ‘trojanised’ updates to the company’s clients over three months, including US Government departments.
A recent survey by security firm BlueVoyant (1,200 CIOs, CISOs and CPOs – Chief Procurement Officers) found that awareness of supply chain risks has definitely increased, with executives who said last year that it was not on their radar falling from 31% to 13% this year.
This is clearly good news, especially as the majority have increased the budget to counter those supply chain risks.
The problem, an old familiar problem, is that the action taken to mitigate these supply chain risks is old fashioned to the point of being embarrassing. Many companies still audit their supply chains using a paper-based ‘system’, and many audit them only twice yearly.
This means that companies have no way of knowing whether there are current, ongoing risks in their supply chains. By the time they find out, either through the supplier going public with the information or the attack vector being exposed by a security company, it is too late. Ongoing monitoring is vital.
The problem is significant and, sadly, fits with what we know about current attitudes to risk. Security is an afterthought against the backdrop of a global pandemic, managing a remote workforce, making specific processes work as best they can.
Executives take the attitude that ‘if we increase sales, we can swallow the effects of an attack.’ Managers take the attitude that their lives are stressed enough and hope against hope that someone else’s alarm will go off, not theirs.
It is not an easy issue.
How do you energise your security, information and procurement teams to be more proactive? Working out an effective incentive is not easy and certainly not easy to monitor (‘Yup, only today boss I fought off two cyberattacks’).
The fact remains that supply chains risks are ripe for exploitation from sophisticated, patient hackers. The other point is that ransomware attacks have doubled in the last year, the average ransom is over a million dollars, and too many companies end up paying.