As supply chains become more digital and global networks, they also become more vulnerable to cyber attacks.
The types of supply chain security threats that organizations need to be wary of include data leaks and theft, denial-of-service attacks, malware and ransomware attacks, all of which can arrest supply chain operations and disrupt businesses.
Supply chain security issues only become bigger threats during the holiday season, according to Kyle Rice, CTO at SAP National Security Services (NS2), a wholly-owned subsidiary of SAP that sells SAP technology, applications and services to organizations that can’t purchase software from a foreign-based firm and is headquartered in Newtown Square, Pa. The holiday season is particularly ripe for nefarious threat actors because IT staffs are often reduced, employees are more distracted and businesses experience surges.
In this Q&A, Rice delves into the nature of these supply chain security threats and how organizations can mitigate them.
What are some issues around supply chain security that companies need to focus on?
Kyle Rice: There are a couple things. One of these is visibility around what you have. Essentially you have to have your purchasing people look at their bill of materials to see where the components are coming from. Are there companies or products in the chain that they aren’t comfortable relying on? Are there key components coming out of countries that don’t have the U.S.’s best interests at heart? It can be a pretty complicated web, but there are tools out there that can help you. This knitting together of webs is what computers are good at.
The second is focused on mitigation and making alternative plans because you are going to find problems. Visibility, alone, is not enough, and now you have to figure out what to do about these problems.
Why are security threats particularly focused on the supply chain?
Rice: With supply chain, you’re only as strong as the weakest link. So if someone is trying to cause a particular company some distress, that company may be locked in pretty tight, but there may be a supplier in the supply chain that’s not being as careful, so it can break down there. This can cause serious problems. For example, if you look at the car production problems we have now, manufacturers can still build all the all the high-end car parts — the engine, the drive train, the car body — but that doesn’t matter because they can’t get the real cheap commodity-level chips, so they can’t sell cars. This very small part is stopping the whole industry. So if there are nefarious actors involved who really want to bring down the automotive industry, that’s not a bad way to do it. If someone is trying to break things, they’re going to find that weak link in the chain, and you’ve got to find it before they do.
The holidays are soon approaching. Should companies be focused on supply chain security now, or do they have time?
Rice: Now is definitely the right time to do this because things get squirrely around the holidays. You always see an increase in cyber attacks [that can disrupt supply chains], but there’s also a simultaneous decrease in carefulness. Anyone that’s doing something nefarious to you is almost always going to ramp it up around the holidays. People know that IT staffs are on vacation, so it’s always a great time to try and take advantage of the fact that your staff may be reduced. In addition to this, it’s holiday crunch time and everybody’s running around doing stuff and getting lots of emails. So you don’t know if everyone in your company is being careful about what they click on, but realistically, they’re probably not. So the more that you can train for that now, the more you can get your folks ready for the crunch that’s going to happen.
Do companies spend more effort responding to hacks rather than preventing them? What mitigation measures should they take?
Rice: Yes, it’s like closing the barn door after the horse is out of the barn. But, there are three things to think about if you want to prevent hacks rather than just respond after the fact. One is software patching and vulnerability management. This is just basic hygiene, but it’s super important. Depending on what source you believe, between 30% and 60% of cyberhacks in the last few years were due to known vulnerabilities and unpatched software. So you’re just leaving the door open if you don’t do your patching. You make it too easy for people.
Kyle RiceCTO, SAP National Security Services
The second is around email security and phishing. You have to work on staff training particularly around the holidays because more people get hooked by phishing around the holidays. People get busier, they get stressed, and they start clicking on things they ordinarily wouldn’t. So you have to get ahead of that by giving them tools for filtering but also through training.
The third is around security monitoring that’s informed ahead of time by automated and AI-based threat intelligence that helps you determine what things are going on. You need to recognize that even if you do all this patching and training, you’re still going to have some issues. It’s just the nature of the beast that there is no 100% security. You have to have a solution in place to watch for those issues and catch things earlier on.
Can automation and AI threat intelligence help?
Rice: Yes, because you can use these to see what’s happening [with security threats] and learn over time. But it’s like a running battle between the AI on both sides: On the defensive side, we’re trying to get better at learning and seeing more about what’s going on, and then training models as attacks keep happening. The attackers are using AI as well, because they’re trying to hide what they’re doing, so there’s a bit of a standoff.
What do organizations need to consider about supply chain security as the holidays approach?
Rice: First, get your house in order with patch management and training now while you still have some time. Second, understand that there will be an uptick in incidents, so you have to be ready for that. Maybe you can shift your staff a little, because attackers do take advantage of predictable staffing patterns. It’s also a good time to get a third-party assessment of your environment to identify shortcomings and issues. Perfect security is impossible, generally speaking, but very good security is something you can attain.
Jim O’Donnell is a TechTarget news writer who covers ERP and other enterprise applications for SearchSAP and SearchERP.