Data-Rich Manufacturing Demands Cybersecurity of the Supply Chain, Too

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Tony Abel, Managing Director
Supply Chain

 

Few manufacturers would disagree with the view that the Internet of Things, big data integration and other advances in technology are boosting productivity, streamlining supply and distribution channels, and improving product support. But the WannaCry ransomware attack unleashed on businesses, governments and hospitals across the globe last month and the most recent attack this week delivered a sobering reminder that those digital-driven innovations carry very real risk.

That’s especially true for supply chains. Competition and efficiency demands increasingly compel manufacturers to enlist third-party vendors to produce components for an end product, meaning proprietary information and specification data is sent digitally across the globe, ready for cybercriminals to steal and exploit. One recent survey of 1,400+ supply chain professionals found that data security/IT incidents ranked as the most critical risk to supply chains.

Cyber attacks are likely to grow in frequency and severity, according to our recent Flash Report discussing the WannaCry ransomware event. In the report, we highlighted the need for companies to not only adopt a cyber defense, but also to continuously evaluate and improve it to protect against evolving threats. We noted, again, that many organizations continue to ignore cybersecurity – or at best are inadequately addressing it.

Opaque Supply Chains

It makes sense that businesses that are underprepared in their own cyber defenses have even less insight into the cybersecurity of their suppliers. But clearly they should. According to a 2016 presentation given by cyber supply chain risk management specialist Jon Boyens, a program manager with the National Institute of Science and Technology (NIST), 80 percent of all information breaches occur within the supply chain, and almost 60 percent of companies do not have processes for assessing the cyber security of their vendors. Similarly, more than seven out of 10 organizations lack full visibility into their supply chains.

Even more alarming, NIST anticipated that cyber attacks and data breaches would cause nearly half of the manufacturing supply chain disruptions in the next couple of years. Such incidents are costly. NIST estimated that 55 percent of the disruptions incur more than $25 million in damages per incident. In addition, supply chain breaches that steal or alter data could result in substandard products, the loss of intellectual property, and backdoor access into the manufacturer’s systems, all of which could further tarnish an organization’s brand and diminish its value.

Samsung’s recent bout with the flawed batteries that sparked fires in its Galaxy Note 7 phones illustrates the potential damage to a company’s reputation and bottom line. Samsung ultimately identified specifications provided to its suppliers as the culprit, but not before the company took a $5.3 billion hit to earnings and lost consumer trust. How much worse would it have been if a cyber criminal altered the specifications intentionally?

Supplier Checklist

The good news is that manufacturers can mitigate supply chain risks by ensuring that their third-party vendors are pursuing similar cybersecurity efforts as their own. Here are a few fundamental questions that we recommend focusing on when assessing supply chain IT risk:

  • Does the supplier’s culture promote cybersecurity and ransomware awareness throughout the organization? What kind of training are its employees receiving to recognize and address threats?
  • What cyber defenses are in place, and are they sufficient to counter the latest malware threats? Is the supplier up to date on indicators of compromise for recent attacks?
  • How frequently does the supplier conduct cyber risk assessments? Is the regimen sufficient to keep up with the rapidly evolving threats, and does it include defenses to block operational disruptions? Does the supplier consider the risks in its own supply chain (e.g., Tier 2 and Tier 3 suppliers)?
  • Does the supplier have an effective response plan? How often is it updated, and how often does the organization conduct threat simulations as part of its cybersecurity training?

Sound Agreements Needed

Manufacturers and suppliers seeking to reduce supply chain risk also should review contracts to ensure compliance. Items for each party to consider include:

  • Are the supplier’s cybersecurity obligations spelled out clearly in the contract, and does the language extend to the supplier’s subcontractors?
  • Does the contract include assurances that the supplier has the infrastructure to uphold its end of the contract?
  • Who are the executives or managers executing the contract for the supplier? Are they the most appropriate personnel in regards to understanding cybersecurity threats and the supplier’s ability to meet its obligations?

As cyber threats continue to escalate, it is important for manufacturers to gain visibility into their supply chains in order to assess their overall risk-mitigation and response capabilities. The ideas outlined here represent basic but critical actions organizations should be implementing as they strive to secure the increasing amount of sensitive data shared in the production and sourcing processes.

Cyber Attacks Can Be Costly – Is Cyber Insurance the Answer?

By Adam Hamm, Managing Director
Risk & Compliance

 

 

 

The WannaCry malware attack in mid-May focused the attention of corporations around the world on escalating cyber threats. Our Flash Report released immediately after the attack noted that it marked a new and unsettling aggressiveness on the part of cyber criminals: No previous assault matched the breadth of impact of WannaCry, which affected hospitals, corporations and government offices in more than 150 countries around the world.

The cost of getting businesses up and running after the attack was expected to potentially add up to billions of dollars. Additionally, some organizations could face lawsuits over their failure to secure the previously disclosed Windows vulnerability that the criminals exploited.

In fact, news on May 23 that Target Corp. had agreed to pay $18.5 million to settle state and financial institution claims stemming from an enormous data breach should have warranted as much corporate attention as the WannaCry event. Hackers stole data from up to 40 million credit and debit cards belonging to the retailer’s shoppers during the holiday season in 2013, and the company disclosed that the total cost of its cyber security failure had amounted to $202 million so far. A settlement stemming from a consumer class action has yet to be finalized.

The grave consequences of weak cyber security – from business disruptions to the expense of repairs and lawsuit payouts – may lead some to believe organizations are scrambling to make cyber liability insurance part and parcel of their IT security protocols. Yet, according to recent surveys, roughly half of U.S. firms don’t have cyber risk insurance, and more than 25 percent of executives without a policy say they have no plans to add one. Among the companies that have insurance, only 16 percent reported that they have policies that cover all liabilities.

There are reasons many companies are reluctant to purchase cyber liability insurance or beef up existing policies, and the two main ones are cost and complexity. Certainly, insurers can improve clarity on their policies and enhance the ability for customers to compare different proposals. And, it may very well be the prohibitive cost of cyber insurance that is causing some companies hit by ransomware attacks to try and recoup their losses using kidnapping, ransom and extortion policies originally acquired to protect workers in dangerous locations.

Even so, a cyber liability insurance policy is a prudent course of action in most cases. Although it should never be a substitute for strong cybersecurity defenses, it can spell the difference between a severely affected and fairly unscathed bottom line in the aftermath of an attack. Before committing to a policy, however, it is important that management teams and their insurance brokers discuss three pivotal issues:

  • What kind of cyber liability insurance policy does the company need? Does it need a first-person policy to cover the cost of retrieving data critical to the operation, or does the company possess consumer information that requires protection against third-party lawsuits? Does it need both?
  • What amount of coverage does the company want to obtain? This figure will depend on a number of factors, including the size of the company and the type of coverage it needs. To mitigate third-party risk, for example, settlements like Target’s could provide useful benchmarks.
  • What is the premium an organization is willing to pay? A number of variables should be used to determine this figure, including a company’s earnings, the size of the IT budget, and the operations or data at risk.

Once a company has answered these questions, it can begin to shop for cyber liability insurance. As part of the process, the management team needs to fully understand what the policies cover. But perhaps most importantly, organizations need to understand what the policies don’t cover, which will ultimately indicate whether the policy is worth the expenditure.

Given the sophistication and prevalence of successful data breaches, it is now more important than ever for companies to analyze whether a cyber liability insurance policy should be a part of their overall cyber strategy.

Was Friday’s Ransomware Attack Covered in Your Cyber Plan?

By Scott Laliberte, Managing Director
Technology Consulting

 

 

 

Less than a month ago, my colleague Adam Brand talked about the need to include ransomware in the cybersecurity repertoire of companies, emphasizing a business outcome-driven approach to cybersecurity, rather than a narrow-focused sensitive data perspective. Last Friday’s global ransomware attack brought this message home with a bang.

The wide-spread attack struck hospitals, companies and government offices around the world, with the majority of the attacks targeting Russia, Ukraine and Taiwan. It disrupted computers that support factories, banks and transport systems. The National Health Service in the United Kingdom was attacked, causing some surgical procedures to be cancelled and ambulances to be diverted. In addition, several major global companies reported they were hit by the attack, which currently is believed to have infected more than 200,000 computers globally, with some claiming the number is closer to 300,000.

The event is not unique but it is the biggest of its kind so far, and reinforces a harsh reality: Cyber attacks are not just about data loss or intrusions on privacy, but they can impact organizational operations, patient care (for healthcare providers) and critical infrastructure, and cause possible loss of life. Systems that support critical operations – such as medical devices and industrial control systems – often run on older technology that is more vulnerable to these attacks. You may have ignored these systems up till now because they do not contain critical data – ignore them no more.

In the wake of this latest attack, Protiviti issued a Flash Report today that summarizes the circumstances and reiterates the point we’ve made often before – namely, that cybersecurity needs to be extracted from the silo of IT security operations and considered in the context of the risk it poses to the business. The Flash Report also provides some immediate and longer-term recommendations for companies to shield themselves from future events like this one. Download the report here, and share your thoughts in the comments.

Undetected Breaches and Ransomware Change How We Think About Cybersecurity

By Adam Brand, Director
IT Security and Privacy

 

 

 

As new possibilities in information technology continue to transform organizations, they may outpace any cybersecurity protections already in place. Controls that seemed adequate yesterday might not be equal to the challenges presented by new technology and ever-evolving threats today. Our recently-published issue of Board Perspectives: Risk Oversight (Issue 90) discusses eight of today’s business realities directors should consider as they oversee cybersecurity risk, and it is worth a read. We’d like to comment further on two of these realities here.

  • The first reality represents a change in thinking: Whereas the adage of yesterday was “It’s not a matter of if a cyber risk event will occur, but a matter of when,” we now know that it’s better to acknowledge that cyber risk events are already occurring, whether we’re aware of them or not.
  • The second reality revises the familiar advice to identify and protect the critical data assets and information systems, aka “crown jewels,” extending that advice to include being aware of the adverse business outcomes that result from the unavailability or compromise of business-critical but non-sensitive data.

Both of these realities have one thing in common: Boards must remain open to new ways of thinking about cybersecurity, because organizations’ information technology assets — and the ways criminals exploit them — keep evolving. Or to paraphrase the Greek philosopher Heraclitus, the only constant in cyber threats is change.

Hunting for Hackers

Thinking “cyber risk events are not a matter of if, but a matter of when” is no longer sufficient — unless you think of “when” as having happened already. Breach statistics show that the vast majority of breaches are not self-detected. In one example from our own incident response practice, a firm that had several threat detection measures in place was blissfully unaware of a credit card breach until they were informed about it by the Secret Service. The attacker had been in the environment for over one year! This example is not uncommon, as breach statistics also show that the average time between an attack and its detection is over six months.

In hindsight, the proper response to this kind of threat would have been a proactive one — a technique known as “breach assessment” or “threat hunting.” Rather than using in-place technologies and processes as a check on prospective cyber risk events, threat hunting searches proactively for attacks already in progress by asking, “Are we already breached, but unaware of it?” More organizations are now augmenting their cyber defenses with the creation of internal “threat hunting” teams or engaging third parties for periodic breach assessments. Support of ongoing threat hunting and regular third-party breach assessments are two ways for boards to ward off the possibility of a long-term, undetected breach.

More Than Crown Jewels

Just a short time ago, “identifying and protecting critical data and systems” — aka, crown jewels — was the standard measure of adequate cyber risk management. However, a narrow focus on sensitive data, rather than an outcome-driven approach to cyber risk management, could cause an organization to overlook real threats elsewhere — like those presented by ransomware, for example. In the past few years, ransomware has changed the risk equation for companies by targeting operational rather than sensitive data. Encrypting non-sensitive information for ransom may not be the exact high-risk data loss we’ve all been warned about but it will cripple business operations nevertheless until the ransom is paid.

Until recently, firms who possessed only non-sensitive data could rest easy knowing they had no “crown jewels” to protect. They should rest no longer, as all firms are vulnerable to ransomware. Boards should be vigilant about this risk, and ensure that safeguards are in place — as well as continuity plans. Shifting focus from warding off a specific data breach — like the loss of sensitive data via a specific application — to considering all adverse business outcomes leads to more comprehensive cybersecurity solutions.

While all eight new business realities discussed in our latest Board Perspectives warrant attention, these two in particular highlight the need for evolving an organization’s approach to cyber risk oversight, now and in the future. You can read our latest Board Perspectives issue here, and we’d love to hear from you in the comment section below.