Every day, cyber-attacks are targeting supply chains, and other critical business sectors. Therefore, every type of business – without exception – must consider cyber-attacks as a threat, making it an enterprise-wide issue, not just an IT issue or one limited to a single department.
Bigger, better, stronger…and organized
Cyber-attacks involving ransomware were an isolated and rare event just a decade ago. Today we have witnessed the evolution to a more organized model known as Ransomware as a Service (RaaS). We also observe APT (advanced persistent threat) groups that follow a pattern of extortion, characterized by frequency and sophistication. Cyber-attacks not only affect the availability of business systems, but also lead to the release of sensitive data, which results in a major threat to the company, its partners, and customers.
The greater the benefit, the greater the responsibility!
The technologies that empower business are also the tools of choice for cyber criminals. Cybercrime has gone from an informal event to an organized movement, which means integrating your suppliers and partners into the risk management equation is now essential. While supply chain security requires certain IT resources to audit, prevent and improve; the situation goes beyond the IT department, as it is often difficult for one department alone to define the full list of suppliers\partners and manage the risk themselves, making it a company-wide risk management issue that involves all departments.
Cybersecurity can no longer be ignored or relegated to the bottom of the stack. Every company is a technology company that has key infrastructure that empowers their core business function. Communication, collaboration, connectivity, and compliance are all parts of a successful business. Combine that with people, process and technology and it becomes evident that managing the risk of business disruption by bad actors is just as valuable, if not more so, than the technology itself.
We can no longer ignore the cyber-security readiness of the supply chain and supporting businesses. As businesses work together, they need to consider how information is shared and verified. The technologies and tools that are used by suppliers, clients and partners has an immediate impact on every business that is touched by that chain of communication. Collaborating with a supplier or client that uses outdated technology, or has poor cyber-hygiene, increases the risk of working with that business. If we all start to hold each other more accountable to a higher standard of cyber-security awareness and hygiene in our businesses, then everyone benefits.
You can consider your staff the weakest link in your business, or you can empower them to be the gatekeepers. Technology aside, all core business activities are accomplished by people. Therefore, when planning for disruption and compliance, you need to involve everyone in the company. It must be a bottom-up excise of collaboration, rather than a top-down decree of technology and process.
As technology advances, like the metaverse, allow businesses to be more connected then ever before, so does the risk of deep fakes and other social engineering tactics increase. The strategy of building a secured perimeter is fast becoming ineffective. Most breaches occur because a person has unwittingly given away the keys to the kingdom.
The way forward, is to start to take a more humanistic approach to cyber-security and look at every person that is involved in the chain of communication and build processes and tactics around confirming information and validating all communication sources that touch a business. Combine this with training in cyber-security awareness, and you have a powerful formula for preventing most cyber-attacks; baring the most sophisticated ones that target compromising a technology over people.
For the attacks that target technology, ensure that best practices in both configuration and use are followed and you cover off most of the vulnerability. In the end, it is not the technology that is the problem, but rather the people that interact with it.
Let’s stop looking for a technology solution to cyber-crime. It is time we start to realize that it is a human issue, and not a technological one, and act accordingly.