Supply chains and cyber threats

There is a famous quote attributed to the British explorer, Sir Walter Raleigh, who said:

“Whosoever commands the sea commands trade, whosoever commands the trade of the world, commands the riches of the world and consequently, the world itself.”

These days, global trade is commanded and controlled by data and information. Meanwhile, the supply chains generating the data and information are under severe threat of disruption and theft. How organisations develop strategies to plan, protect and defend themselves falls under the general heading of cyber security.

Cyber threats manifest themselves in a number of ways, from merely irritating through to the complete failure of operations and large-scale theft. These attacks are taking place every second of every minute and every hour of every day, somewhere in the world. Indeed, many cyber security specialists state that there really only two kinds of companies.” Those that have been hacked, and those that don’t yet know they have.”

There are various kinds of cyber threat, with the vast majority being prevented by some basic principles and precautions. However, the threats that are focused, planned and very well executed are the ones that are much harder to prevent.

Many of the security breaches are not actually the result of sophisticated technology hacks. They are categorised as ‘socially engineered’ breeches. This ‘social engineering’ is where access to corporate systems is via valid user ids and passwords that the attackers have been able to steal. If there is a casual attitude to the use of access credentials such as IDs and passwords in an organisation it shouldn’t come as a surprise if they fall into unauthorized hands. Once an attacker is inside the system it’s usually too late and the only barrier to massive damage is the security model of the underlying system. If the compromised user has high level privileges to access many parts of the targeted system, the attacker can cause havoc.

All companies should have clear policies for ensuring that access ID’s to corporate systems are confidential. However, this should be only part of a corporate information security strategy. This task has become harder with the growth in the number of mobile devices being used to access corporate data.

The risk profile of any organisation is influenced by their attitude to cybercrime. Also, because participants in any supply chain are continually exchanging data with trading partners, the management of cyber risk should apply to the whole supply chain, or network.

Key findings from Price Waterhouse’s 2015 Security Breaches Survey pointed out that the number of breaches has increased, and the scale and costs has doubled. Also, nearly 9 out of 10 organisations have suffered some kind of breach. As has been previously stated, socially engineered attacks are still as likely to result in breaches as are either viruses or malware.

The following scenario shows an example of how a seemingly innocent action can result in serious consequences; an employee casually introduces a compromised USB stick (perhaps given as a free sample or found lying in the street) into a port on a network-connected device. The moment the device receives power any embedded malware is injected into the corporate network and gets to work.

Clear, uncomplicated and coherent policies can do a lot to prevent these events.

The potential attackers are many and varied, from the casual opportunistic hacker (often a disgruntled former employee), through to criminal gangs out to steal user and access information that can be sold on to other parties. The most sophisticated exponents are governments or their proxy agencies that view the use of offensive cyber capabilities as part of their overall military arsenal. Attacks from these sources are almost impossible to prevent by individual organisations, but are, for the moment, thankfully rare.

All organisations now have to accept that the use of information systems opens them up to new kinds of existential threats. All personnel should be educated as to the potential risks they face from cybercrime and the basic steps for prevention. It is as much an issue of attitude rather than technical ability and as has been seen in some recent high profile cases of cyber-attacks, being sorry after the fact is no substitute for an empty bank account and corrupted operational systems.

Representatives from Ti, Ken Lyon and John Manners-Bell, will be giving a further briefing on this subject at the Multimodal exhibition at the NEC 10-12 May.

Source: Transport Intelligence, 4th May 2016

Author: Ken Lyon