Data-Rich Manufacturing Demands Cybersecurity of the Supply Chain, Too

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Tony Abel, Managing Director
Supply Chain


Few manufacturers would disagree with the view that the Internet of Things, big data integration and other advances in technology are boosting productivity, streamlining supply and distribution channels, and improving product support. But the WannaCry ransomware attack unleashed on businesses, governments and hospitals across the globe last month and the most recent attack this week delivered a sobering reminder that those digital-driven innovations carry very real risk.

That’s especially true for supply chains. Competition and efficiency demands increasingly compel manufacturers to enlist third-party vendors to produce components for an end product, meaning proprietary information and specification data is sent digitally across the globe, ready for cybercriminals to steal and exploit. One recent survey of 1,400+ supply chain professionals found that data security/IT incidents ranked as the most critical risk to supply chains.

Cyber attacks are likely to grow in frequency and severity, according to our recent Flash Report discussing the WannaCry ransomware event. In the report, we highlighted the need for companies to not only adopt a cyber defense, but also to continuously evaluate and improve it to protect against evolving threats. We noted, again, that many organizations continue to ignore cybersecurity – or at best are inadequately addressing it.

Opaque Supply Chains

It makes sense that businesses that are underprepared in their own cyber defenses have even less insight into the cybersecurity of their suppliers. But clearly they should. According to a 2016 presentation given by cyber supply chain risk management specialist Jon Boyens, a program manager with the National Institute of Science and Technology (NIST), 80 percent of all information breaches occur within the supply chain, and almost 60 percent of companies do not have processes for assessing the cyber security of their vendors. Similarly, more than seven out of 10 organizations lack full visibility into their supply chains.

Even more alarming, NIST anticipated that cyber attacks and data breaches would cause nearly half of the manufacturing supply chain disruptions in the next couple of years. Such incidents are costly. NIST estimated that 55 percent of the disruptions incur more than $25 million in damages per incident. In addition, supply chain breaches that steal or alter data could result in substandard products, the loss of intellectual property, and backdoor access into the manufacturer’s systems, all of which could further tarnish an organization’s brand and diminish its value.

Samsung’s recent bout with the flawed batteries that sparked fires in its Galaxy Note 7 phones illustrates the potential damage to a company’s reputation and bottom line. Samsung ultimately identified specifications provided to its suppliers as the culprit, but not before the company took a $5.3 billion hit to earnings and lost consumer trust. How much worse would it have been if a cyber criminal altered the specifications intentionally?

Supplier Checklist

The good news is that manufacturers can mitigate supply chain risks by ensuring that their third-party vendors are pursuing similar cybersecurity efforts as their own. Here are a few fundamental questions that we recommend focusing on when assessing supply chain IT risk:

  • Does the supplier’s culture promote cybersecurity and ransomware awareness throughout the organization? What kind of training are its employees receiving to recognize and address threats?
  • What cyber defenses are in place, and are they sufficient to counter the latest malware threats? Is the supplier up to date on indicators of compromise for recent attacks?
  • How frequently does the supplier conduct cyber risk assessments? Is the regimen sufficient to keep up with the rapidly evolving threats, and does it include defenses to block operational disruptions? Does the supplier consider the risks in its own supply chain (e.g., Tier 2 and Tier 3 suppliers)?
  • Does the supplier have an effective response plan? How often is it updated, and how often does the organization conduct threat simulations as part of its cybersecurity training?

Sound Agreements Needed

Manufacturers and suppliers seeking to reduce supply chain risk also should review contracts to ensure compliance. Items for each party to consider include:

  • Are the supplier’s cybersecurity obligations spelled out clearly in the contract, and does the language extend to the supplier’s subcontractors?
  • Does the contract include assurances that the supplier has the infrastructure to uphold its end of the contract?
  • Who are the executives or managers executing the contract for the supplier? Are they the most appropriate personnel in regards to understanding cybersecurity threats and the supplier’s ability to meet its obligations?

As cyber threats continue to escalate, it is important for manufacturers to gain visibility into their supply chains in order to assess their overall risk-mitigation and response capabilities. The ideas outlined here represent basic but critical actions organizations should be implementing as they strive to secure the increasing amount of sensitive data shared in the production and sourcing processes.

Was Friday’s Ransomware Attack Covered in Your Cyber Plan?

By Scott Laliberte, Managing Director
Technology Consulting




Less than a month ago, my colleague Adam Brand talked about the need to include ransomware in the cybersecurity repertoire of companies, emphasizing a business outcome-driven approach to cybersecurity, rather than a narrow-focused sensitive data perspective. Last Friday’s global ransomware attack brought this message home with a bang.

The wide-spread attack struck hospitals, companies and government offices around the world, with the majority of the attacks targeting Russia, Ukraine and Taiwan. It disrupted computers that support factories, banks and transport systems. The National Health Service in the United Kingdom was attacked, causing some surgical procedures to be cancelled and ambulances to be diverted. In addition, several major global companies reported they were hit by the attack, which currently is believed to have infected more than 200,000 computers globally, with some claiming the number is closer to 300,000.

The event is not unique but it is the biggest of its kind so far, and reinforces a harsh reality: Cyber attacks are not just about data loss or intrusions on privacy, but they can impact organizational operations, patient care (for healthcare providers) and critical infrastructure, and cause possible loss of life. Systems that support critical operations – such as medical devices and industrial control systems – often run on older technology that is more vulnerable to these attacks. You may have ignored these systems up till now because they do not contain critical data – ignore them no more.

In the wake of this latest attack, Protiviti issued a Flash Report today that summarizes the circumstances and reiterates the point we’ve made often before – namely, that cybersecurity needs to be extracted from the silo of IT security operations and considered in the context of the risk it poses to the business. The Flash Report also provides some immediate and longer-term recommendations for companies to shield themselves from future events like this one. Download the report here, and share your thoughts in the comments.

Customer Loyalty Through Better Security — and How to Achieve It

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader




Customer loyalty programs are among the basic building blocks of successful consumer products and services companies today. These programs are not only competitive differentiators, but also key drivers of revenue and profits for retailers, restaurants, hotels, airlines and many other businesses. The success of loyalty programs, however, hinges on more than inspiring customers to opt in and offering them rewards that they find compelling. Consumer trust is also essential.

Consumers want to be assured that the companies they interact with through various touch points — online, offline and through mobile applications — are doing everything possible to protect their personal data and privacy. Even millennial consumers, who are generally more willing than customers in other demographic groups to share personal information with businesses in exchange for rewards, have high expectations that companies will keep their data secure and respect their privacy. And if the companies don’t, they are quick to hold them accountable.

Privacy concerns are weighing on the minds of executives in the consumer products and services industry this year, according to a survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative. Representatives of this industry group who took the survey ranked the following concern third among the top five risks: Ensuring privacy/identity management and information security/system protection may require significant resources for us.

Digitalization, the IoT and cyberthreats add to the challenge

Like most things related to information security in a digital world, privacy, customer identity management and information security are all easier said than done. In fact, they are becoming only more challenging for consumer products and services companies as these businesses:

  • Introduce more mobile and digital offerings to their customers
  • Collect, store and analyze more and more customer data from applications and devices
  • Develop and use applications and devices designed for the rapidly emerging and highly interconnected Internet of Things (IoT)
  • Embrace digitalization and migrate “analog” approaches to customers, products, services and operating models to an “always-on,” real-time and information-rich marketplace

It is hardly surprising then that consumer products and services businesses face a constant barrage of sophisticated and stealthy cyberthreats designed to target customer and payment information.

Recent high-profile data breaches and targeted hacks involving major retailers, fast food chains and hotels are just the latest headache-causing wrinkle as consumer products and services companies are scrambling to evaluate their ability to protect customer and payment information. (Executives no doubt had these incidents on their minds when responding to the latest risk survey: they also ranked cyberthreats among the top five risks for their industry in 2017.)

Drive results through strategy and collaboration

Certainly, there is no getting around the need for consumer products and services companies to devote more resources toward ensuring privacy, addressing identity management issues, and protecting information and systems. This is an imperative for any business that handles customer and financial data in a digital world. But organizations also must be very strategic when aligning and deploying these resources if they want to see results.

Developing the right strategy requires effective collaboration between the business and IT. If they are not doing so already, business executives in consumer products and services organizations should resolve to reach out to their counterparts in IT sooner rather than later.

Another party to include in discussions about privacy risk and cyberthreats this year: internal audit. We are seeing more organizations increasing business, IT and internal audit collaboration not only to address known risks, but also to help the business prepare for new challenges related to digitalization and the IoT. As Protiviti’s white paper, The Internet of Things: What Is It and Why Should Internal Audit Care?, explains, “Businesses developing and using applications and devices within the IoT must be aware of how the data they are collecting, analyzing and sharing impacts user privacy.”

Engaging business, IT and internal audit leaders to share their perspectives on these risks will help consumer products and services companies to ensure they are doing everything necessary to protect their customers’ privacy and information in a digital and hyperconnected world. It will also give them more confidence to interact with consumers through more channels, and to innovate programs and other offerings that will earn — and keep — their business.

Will Hiring Hackers Help Energy’s Cybersecurity Efforts?


Tyler Chase

cal-slempBy Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Cal Slemp, Managing Director
IT Security and Privacy Practice Leader


The chief cybersecurity engineer for a major industrial process company advocated not long ago that oil and gas companies hire hackers to improve their cybersecurity defenses. At an annual European-Middle East-Africa user group conference in The Hague last October, Eric Knapp urged attendees to drop their negative perceptions and put hackers to work on their teams.

Knapp’s advice followed a presentation of survey findings stating that 82 percent of oil and gas industry respondents have experienced an increase in successful cyberattacks over the past 12 months. Executives of European petrochemical companies SARAS and SABIC estimated that cyberattacks cost businesses up to $400 billion per year.

Several weeks earlier, the World Energy Council (WEC) issued a report that, among other conclusions, found that the demand for cyber specialists is growing twice as fast as for all other IT jobs. The WEC cited research linking recent high-profile security breaches to a shortage of almost one million skilled cybersecurity professionals.

Our perspective:

The idea of leveraging “hackers” needs to be put into context. Many organizations have resources (internally or through consulting firms) who mimic the activity that various types of real hackers execute to illegally break into a company’s IT infrastructure. These “white hat” penetration testers are excellent at testing infrastructures, applications, networks and databases. The use of trained personnel who act as hackers but have written agreements and rules of engagement can make a lot of sense for an organization and is worth considering.

However, cybersecurity, much like other strategic initiatives, cannot be addressed with technology resources or tools alone. It requires a joint effort among departments and employees of all levels. In the same way that police cannot solve all crimes by themselves (despite being the “experts”), cybersecurity professionals need the knowledge and assistance of everyone in the organization. Employees who have been educated on matters of cybersecurity become empowered and thus an extension of the security program.

Finding the similarities between cyber risks and existing risks (e.g., safety) can help translate this subject to nontechnical resources. Many of the lessons learned with regard to overall risk management through more traditional departments, such as internal audit or compliance, can be applied to cybersecurity. Sharing data points that are already being collected by these departments can add value to analyzing security threats. At an even higher level, sharing information across the industry in cyber intelligence groups (CIGs) can allow firms to collaborate on specific threats and solutions, and share data that can add value to their overall threat analyses.

Is hiring “hackers” the answer to the cybersecurity challenge? It’s not quite that simple. White hat hackers certainly have a key skill set organizations need to face the growing threat of cyber crime, but the ultimate success of an organization lies in how well the leadership empowers the overall enterprise to combat cyber risks together.

Luis Castillo of Protiviti Technology Consulting contributed to the development of this content.


IT Innovation, Part 2: Maximizing the Value of Security Investments

Jonathan Wyatt

By Jonathan Wyatt, Managing Director
Technology Consulting Practice Leader, UK



As my colleague Ed Page indicated in his January 11 post, digital transformation represents one of the biggest innovation opportunities of the 21st century, and failure to respond quickly to innovation opportunities is one of the biggest risks faced by any business today.

A recent Protiviti white paper, Catching the Digital Wave of Change, points out that no industry is isolated from the challenges and opportunities of disruptive technology. Wearable technology, driverless cars, the Internet of Things, robotics, blockchain, biometrics, drones and nanotech are but a few examples of disruptive technologies that leaders of the future are harnessing today. In many cases, however, while business leaders recognize the opportunities, their IT counterparts struggle to deliver the digital innovation, hamstrung by day-to-day operational challenges and associated budget pressures.

It’s not for lack of trying. Over the past decade, IT departments have been reducing operations and maintenance costs consistently. Most of these savings, however, have gone to fund other priorities, the biggest being security, which now accounts for 16 percent of the average IT budget, according to our most recent benchmarking study of technology trends. Taking into account other priorities, including compliance and system enhancements, mature businesses are left with only 13 percent of their budgets free for innovation.

With a strained budget, it then becomes critical for IT leaders to prioritize spending according to top-down strategic risks. Cybersecurity is one area ripe for such prioritization.

I see too many businesses look at cyber as a generic risk that must be avoided, without taking the time to clearly define the organization’s risk appetite and the adverse business outcomes that they are concerned about. As a result, many businesses end up focusing on the wrong things, reacting to technical vulnerabilities rather than focusing on the desired business outcomes. This, in turn, causes many security programmes to become a drain on resources, without delivering significant results in terms of risk reduction of the business outcomes that the business is most concerned about. Conversely, when IT leaders look at information security risks more holistically, focusing on strategies to manage adverse business outcomes rather than every technical weakness, they end up investing in very different things and adopting very different strategies.

In other words, IT leaders need to step back and ensure that they are getting the results they want from their cybersecurity investments. This means focusing on protecting what’s important (the “crown jewels”) rather than trying to achieve the impossible and completely locking down the entire perimeter; keeping up with the cyber threat landscape to know what kind of attacks are most likely to occur; and being proactive about incident response so that systems can be put back online with minimum impact to the business. Without this discipline, cybersecurity will continue to consume larger and larger portions of the IT budget. Innovation will suffer and the business may ultimately fail — not because a cyber threat is realized, but because the disproportional and unfocused spending on one operational risk has distracted the business from the more strategic risk of failing to mount a competitive response to new entrants and/or innovators.

10 Tips for Companies to Raise Cyber Awareness Among Employees

October is Cyber Security Awareness Month. Follow our blog for the latest from our experts on how to reduce your cybersecurity risk and related issues.


By Scott Laliberte, Managing Director
IT Consulting



Although much of the media attention surrounding cybersecurity tends to focus on hackers forcing their way into systems, research shows companies are almost twice as likely to suffer from a self-inflicted breach via email phishing, or other inadvertent employee-assisted action.

According to the latest data from ISACA, 74 percent of companies expect to fall victim to a cyberattack in 2016. A majority of those attacks (60%) are coming via email, with 30 percent of companies reporting daily occurrences.

Cyber criminals favor this and similar employee-assisted attack vectors because they provide access to secure networks through the front door, eliminating the need to hack in. Email security concerns and the importance of developing and following strict network security protocols have escalated to the point of becoming a point of contention in the current election cycle.

Here are ten ways companies can raise employee awareness of the threats, and the important role employees can play in protecting valuable and sensitive information.

  1. Beware of email links and downloads — This is true even if the sources appear to be known to the user. Cyber criminals are becoming adept at embedding malware and credential-stealing code in emails that appear to be coming from friends or colleagues. This practice, called phishing, is the most common source of employee-assisted breach, and has become so sophisticated that the fake emails often contain personal details designed to break down natural suspicions. We advise users to hover over links with their cursor to reveal hidden hyperlinks, or typing a specific URL into a web browser rather than relying on an email hyperlink.
  2. Don’t email sensitive information — This should be common sense, but it happens more often than you might think, often in connection with providing vendors with administrative access to accounts using another user’s credentials.
  3. Assume people are listening — Treat unencrypted email like a conversation in a crowded room. Even if the company doesn’t have good policies on it, employees need to use common sense. Sensitive information should only be transmitted via encrypted email or secure file transfer.
  4. Trust but verify — No one should ever ask you to share your password. A good practice when dealing with any sensitive information by telephone is to hang up and call back using a known telephone number. The same practice should be applied to hyperlinks in email or web pop-ups, which can be used either to collect sensitive information, or as a gateway for criminals into a secure network.
  5. One user, one password — Never share passwords; change them frequently and pick secure ones based on phrases, using a combination of upper and lower-case letters, and substituting special characters for alphanumeric values. Example: Pa$sw0rd. Two-factor authentication (combining, say, token authentication or biometric scan with a user password) is highly recommended and is becoming the standard for administrative access.
  6. Practice safe social media — Hackers are increasingly mining social media for personal details — from political party affiliations and hobbies, to travel plans and friends and family — that can be used to personalize harmful emails in order to get targets to click on them. A common tactic is for hackers to pose as a new contact following up on a conversation at a conference. This type of social engineering, also called “spear phishing,” has proven to be highly effective. Employees must be thoughtful about what they are posting and how that information could be used to target the organization. In a similar vein, network engineers should be cautioned against posting sensitive information such as IP addresses or configuration details to vendor support forums, the so-called “watering holes” where criminals have been known to lie in wait for unsuspecting prey.
  7. No unauthorized software — This is a common policy, but given the unpredictability of human behavior, many companies now routinely disable administrative access on company-issued workstations, phones and laptops. Given the trend toward remote access and “bring your own device” (BYOD), organizations need firewalls to segment secure systems from malware residing on user-owned devices. The use of USB sticks of unknown or uncertain origin should be prohibited.
  8. No access via shared public workstations — It is safe to assume that any unsecured public workstation — such as those at libraries or hotel business centers — has been compromised. Do not use these to log into corporate networks or sensitive sites such as your personal email or banking. Connecting to any unknown Wi-Fi networks, as well as inadvertently creating a personal hotspot with mobile device connected to a corporate network, can provide a backdoor avenue into the company.
  9. Don’t mix business and pleasure — Company phones and laptops should only be used by the authorized user, and only for business purposes. Children playing on company-owned computers have been known to inadvertently infect computers with malware present in many free online entertainment applications.
  10. Don’t forward work email to a non-work account — This is a common mistake, but one that should be avoided. The practice of auto-forwarding email from work to a personal email account or cell phone puts sensitive information on a potentially unsecure system and could violate regulations on privacy and data security.

Although these tips apply to all employees, I would note that executives are targeted at least as often as other employees, because of the greater access granted by their high-level security credentials. As with most policies and procedures, proper training, reinforced through repetition, is critical to success.

While we as security practitioners strive to design security controls to be seamless and not dependent on end users, we are still years away from not having to rely on the vigilance of the end user community. Each person needs to do their part to keep the organization safe. Finally, if inadvertently you fall victim to a cyber attack, immediately report it to the proper channels. Bad news does not get better with age, and prompt action can limit the damage from an attack.

PCI DSS 3.2 – What You Need to Know

Jeff SanchezScott Laliberte

By Jeff Sanchez, Managing Director, IT Security and Privacy


Scott Laliberte, Managing Director, IT Consulting

We’ve been getting a lot of inquiries from clients on the new payment card industry (PCI) compliance standard issued by the PCI Security Standards Council in April. The new data security standards (DSS) release, dubbed PCI DSS Version 3.2, contains some major changes from the previous version.

The changes are explained pretty clearly in our May 9 Flash Report, but we recently had the opportunity for a more interactive discussion and to answer questions via a webinar we held on August 18. In a future post, we will follow up with some of the questions we did not have a chance to address. Here, we’d like to focus on the upcoming changes.

Some of the upcoming changes may require a significant effort to achieve. This affects all entities transacting business by credit, debit or cash cards and could result in many organizations being out of compliance for an extended period of time.

The biggest changes affecting all organizations (effective Feb. 1, 2018) are as follows:

  • Multifactor authentication will be required for administrative access to any system within, or connected to, the cardholder data environment (CDE), even when connecting from within the corporate network. That means that, in addition to a password, anyone seeking to access the system must present some other form of identification, such as a fingerprint or optical scan. This requirement already applies to users, administrators and third parties accessing the system remotely. Note: Companies currently using multifactor authentication as a compensating control for technical noncompliance will no longer be able to list this as a compensating control after it becomes a requirement.
  • File integrity monitoring (FIM), or some kind of change-detection solution, will be required for all in-scope systems, which includes all systems connected to – not just those within – the CDE. Many organizations do not currently have FIM technology on point-of-sale terminals or administrative workstations.
  • Change management is an area of increasing concern for the Security Standards Council. PCI 3.2 requires organizations to carefully document all changes to in-scope systems, plus any controls that might be affected by each change, and prove that the controls have been tested post-implementation and that corrective action was taken, if needed, to restore an effective control environment.

Service providers face even greater scrutiny under the new standards.

  • Security controls monitoring needs to be able to detect failures, and the provider must have supporting processes that document how to fix control failures, as well as processes for documentation, determining root causes and getting security systems back into operation.
  • Executive management responsibility is another hot-button issue. PCI 3.2 requires service providers to assign a member of executive management to be responsible for protecting the CDE. This executive will oversee testing and sign an attestation of compliance.
  • Operational reviews must be conducted quarterly. Service providers are required to perform quarterly reviews of operational processes, including, but not limited to, daily logs, firewall rules, configuration standards, security alerts and change management procedures.
  • Penetration testing on segmentation controls will have to be conducted at least every six months under PCI 3.2, versus annually in 3.1. The scope of penetration testing needs to be coordinated to ensure that the CDE remains secure, even in the event of a total administrative takeover of a segmented system.
  • Service providers are also now required to provide auditors with a documented description of cryptographic architecture used in the CDE. This must include all algorithms, protocols and keys used for the protection of cardholder data, including key strength and expiration date.

PCI version 3.2 is available for use now and becomes the only valid standard when version 3.1 is retired on Oct. 31, 2016. However, many of the new requirements in 3.2 do not become effective until Feb. 1, 2018. As we said in the webinar, we strongly recommend that organizations work with a Qualified Security Assessor now to ensure compliance and avoid unpleasant surprises under deadline pressure.