Tag Archives: cyber security

US Intel Chiefs Urge Business Cooperation On Cybersecurity

But what are the trade-offs in terms of privacy and civil liberties? Highlights from General Keith Alexander and John Brennan keynote at #ISM2018.

During the American Revolutionary war, military commanders of the 13 Colonies realised that the conflict could not be won with soldiers alone. Civilians left their towns and farms to swell the ranks to a level where the British could be pushed back and eventually overcome.

Retired four-star general Keith Alexander (former Director of the National Security Agency) tells delegates at #ISM2018 that just as civilians fought alongside soldiers 240 years ago, there’s currently an urgent need for a public and private partnership to defend against cybersecurity breaches. In other words, business and government need to cooperate if the US is to have any chance of defending against offshore cyberattacks and resultant IP theft.

Calling for a partnership

“I think our approach to cybersecurity has to be changed,” says Alexander. “We need a new strategy.” Companies that suffer data breaches tend to fall into two camps – those that have been attacked and know it, and companies that have been attacked and don’t know it. Alexander says that in an environment where “everybody’s getting hacked,” industry has a responsibility up to a certain level.

The issue is that intelligence agencies (such as the NSA) can’t see what’s in the packets of information that pass through cyberspace at light-speed until after the fact, which means they are relegated to reactive incident response. The solution is for companies to help build a common picture by sharing information so the government can then defend effectively. Alexander gives the example of the energy sector, where 18 companies are working together to share information at network speed.

Alexander also raises the issue of companies that have been attacked being treated as a guilty party, with some organisations getting sued after a cyberattack. “If you want industry to work with government and share what’s hitting them, you’ll have to give them liability protection. We also need to incentivise it so it’s cost-neutral to build up your cyber defence.”

Former Director of the CIA, John Brennan, comments that as difficult as counter-terrorism was, dealing with cybersecurity was even more challenging. “The digital domain is 85% operated by the private sector, and there’s currently no consensus on the government’s role in that environment,” he says. The nature of globalisation means it’s not always easy for a security agency to figure out what’s an American company. “The ecosystem is so interconnected,” says Brennan. “You’re not going to stop globalisation, but you need to [respond to it] in a way that protects government and business interests.”

Privacy trade-offs?

Panel facilitator and ISM CEO Tom Derry raised the question of how you can protect privacy and civil liberties while acting to defend against cyberattacks. According to Alexander, you can do both. “If we’re completely transparent in what we share and ensure everybody agrees to it, we can build a picture that defends our nation.” The consolidation that is taking place as businesses increasingly move into the cloud (usually via a managed service) will help in a cybersecurity sense. “It’s going to come down to consolidation,” says Alexander. “The cloud is going to be the future, collective security in the cloud will be so much better, and you’ll be assured that both your data and your privacy are protected.”

Brennan was less reassuring when it comes to privacy trade-offs. “Lots of privacy and civil liberties have been given up already. People would be shocked about how much of their information is being shared online. We need greater transparency and obligations, and need to be aware of the risks and opportunities. You can’t secure your data the same way you can secure a building.”

What can be done?

Most companies, says Alexander, have a firewall and other measures in place to defend against cyberattacks, but he gives the example of a company with 2,500 people and 5,000 systems that was discovered to have 400,000 unpatched vulnerabilities. “Most companies only try to patch the critical ones.”

Alexander and Brennan list the following solutions:

  • An unprecedented level of partnership and information-sharing between government and business.
  • Behavioural analytics, where a system-user’s behaviour raises red flags if it changes dramatically.
  • Freezing or isolating systems when malware signatures are detected.
  • Better hiring practices, training, procedure and policies to protect against the human element (e.g. Edward Snowden’s data theft).
  • Machine learning and AI systems to cope with the sheer size of the challenge.
  • Be clear on policy: what constitutes an act of war in cyberspace?

In other news from #ISM2018:

ISM Appoints First Chief Product Officer

Susan Marty to Lead Member Engagement, Market Development and Growth Initiatives for ISM.

In its mission to reflect the voices of everyone in the supply management community, ISM has appointed Susan Marty as it first Chief Product Officer. Ms. Marty will focus on member engagement, market development and growth for ISM, the leading not-for-profit, independent, unbiased resource for everyone in supply management.

“As Chief Product Officer, I am strongly committed to meeting the current and future needs of all ISM members and constituents in a timely and meaningful way. We will continue ensuring that all our offerings–from education and events, to discussions and publications–enable members to advance professionally while making their organizations stronger and better,” said Ms. Marty.

“Susan Marty is an exceptional leader with a talent for building strong customer, partner and industry relationships, and innovating in response to market shifts. At a time of rapid transformation for supply management, she will help ISM remain vital to our entire industry,” said Tom Derry, CEO of ISM.

In addition to her focus on ISM’s educational offerings, Ms. Marty will concentrate on making ISM a source for compelling, customer-driven content, including research, thought-provoking conversations with subject-matter experts, and issue-oriented articles.

She will also lead efforts to bring supply management leaders and practitioners together with technology providers, analysts, and other members of the broader professional community. Whether online or via social media, she will focus on maximizing opportunities for the profession to access all ISM has to offer.

“We are thrilled to have Susan Marty join the ISM team. She is a high-caliber talent with a wealth of experience to help us deliver superior products that are valued by our customers,” said Debbie Fogel-Monnissen, Chief Financial Officer, ISM.

“Susan Marty is exactly the kind of product leader that ISM needs to fulfill the strategy of increasing engagement with the supply management professional. Her background in creating value offerings and communicating them clearly and through multiple channels will help today’s supply management professional leverage ISM’s vast resources,” said Jim Barnes, Managing Director for ISM.

Ms. Marty comes to ISM after serving as Vice President Marketing, Product Management and Sales at WorldatWork. She previously held senior roles at Inter-Tel (now Mitel), Voice Access Technologies, OmniSky and AT&T Wireless (now AT&T Mobility).

UK Accuses Russia Of Massive Cyberattack on Global Supply Chains

Maersk, TNT and other global companies that suffered nearly a billion dollars in collective damages were not the intended targets of a Russia-launched cyberattack. How, then, were they infected?   

“The UK government judges that the Russian government, specifically the Russian military, was responsible for the destructive NotPetya cyberattack. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds. “We call upon Russia to be the responsible member of the international community it claims to be, rather then secretly trying to undermine it.”

This statement was part of the UK Government’s unusual step last week of publicly accusing the Russian military of being behind a cyberattack. The White House also called out Russia, issuing the following statement: “In June 2017, the Russian military launched the most destructive and costly cyberattack in history. This was also a reckless and indiscriminate cyberattack that will be met with international consequences.”

Experts believe that Russian hackers launched 2,000 “NotPetya” attacks in the early hours of June 27 last year. NotPetya was designed to masquerade as ransomware, but was soon revealed to be wiper malware with the purpose of destroying computer systems, erasing data and disrupting business operations.

Global firms were collateral damage

One of the consequences of living in a connected world is increased vulnerability to indiscriminate cyberattacks, even for organisations that are not the hackers’ intended victims.

NotPetya’s primary target was a shipping company in Ukraine, which has been locked in conflict with Russian-backed separatists since 2014. However, the virus-like nature of the cyberattack meant that businesses with strong trade links with Ukraine, including parts of FedEx, Danish shipping giant Maersk, UK manufacturer Reckit Benckister, and Dutch delivery firm TNT were also affected. Pharmaceutical firm Merck & Co and FedEx reported permanent damage to the systems, while a West Virginia health system had to replace its entire network after being attacked.

Russian officials have responded that the claims are “groundless” and that Russian businesses were among those whose systems were affected.

Read more: Wall Street Journal

 

In other news this week:

Unilever Publishes Palm Oil Supplier Data

  • In a move to boost transparency, consumer goods giant Unilever has published the location of over 1,400 mills and over 300 direct suppliers of palm oil.
  • The palm oil industry is under increasing pressure from consumers after revelations of deforestation and human rights abuses in Indonesia and other countries.
  • A spokesperson from Unilever said the company hoped that sharing the information would be the start of a new industry-wide movement towards supply chain transparency.

Read more: The Straits Times

 

Tennessee Truck Dealership Selling Dirty Engines

  • A loophole in emissions control laws has enabled a truck dealership to sell Peterbilt and Freightliner trucks with rebuilt diesel engines that spew 40 to 55 times the air pollution of other trucks.
  • The New York Times reports that the loophole is being “championed” by Environmental Protection Agency administrator Scott Pruitt after the Obama administration failed to close it.
  • The trucks are known as “gliders” because they are manufactured without engines and are later retrofitted with the rebuilt, 1990s-era engines recovered from salvage yards.

Read more: New York Times

 

CIPS Announces New Group CEO

  • The Chartered Institute of Procurement & Supply (CIPS) last week announced the appointment of Malcolm Harrison (FCIPS) as Group CEO.
  • Currently Chief Executive Officer of the Crown Commercial Service at The Cabinet Office, Harrison will take over the post from the current interim CEO, Gerry Walsh, in July 2018.
  • The announcement comes nearly one full year after the sudden passing of former CEO David Noble in February 2017.

Read more: https://www.cips.org/en-cn/news/news/cips-announces-group-ceo-appointment/

Going Abroad? Tips For Staying Cyber-Safe

Keeping thieves at bay when travelling used to involve money pouches and hidden pockets. These days, the threat has moved into the cyber sphere. Keeper Security’s Co-founder Darren Guccione explains. 

The holiday/vacation period is looming, and many people are making plans for international travel. If you are among them, be sure you have done all you can to take responsibility for cybersecurity when travelling. After all, it’s a dangerous world out there when it comes to the cyber threat environment. Some common sense and preparation will go a long way toward ensuring your international travel memories are of the good kind.

Let’s break down the tips and tricks of cyber safe travel into two categories. The first is basic “blocking and tackling,” which for the most part is done prior to your travel. The second category deals with security tips once you are on the road.

First, a note about U.S. Border Patrol agents

It is important to know in advance that the travel environment itself has changed. While travelling within the U.S., TSA agents at the gates are not allowed to confiscate your digital devices, nor are they allowed to demand passwords to get into them. If such attempts are made, demand to speak to a supervisor.

The rules, however, are different for U.S. Border Patrol agents and for agents in other nations too. Recently there have been multiple news reports of U.S. citizens having to turn over digital devices and their passwords as a condition for entering or re-entering their own country. What can the border agents do with your passwords or data on your devices? How long can they keep that information? How long can you be detained? These and other questions are not easy to answer. But as you will see from the tips and tricks below, there is much that can be done to minimise what might be compromised or inspected while you ensure your trip overall is as cyber safe as it can be.

Before you head out: basic blocking and tackling

  1. Back up your e-files. Just presume you are going to lose everything on your devices. If all data is backed up before you leave, then if you lose your device you won’t lose what really matters most to you.
  2. Don’t carry sensitive data. This is easier said than done if you are mixing business and pleasure, but it is not unreasonable to just leave behind all the sensitive files you are not likely to use. Store them on cloud backup or on removable media. But get them off your devices.
  3. Change all passwords for all devices. When doing this, use two-factor authentication if possible, which most devices have today. Make the passwords eight characters or longer with a combination of nonsensical letters, numbers, and symbols.  Download a free password manager that will do all the work of creating complex passwords and remembering them for you.
  4. If you haven’t checked recently, this is an excellent time to be sure your antivirus software is current. There is plenty of danger lurking in foreign hotels, coffee houses, and even airports, as we’ll see. This software is your first line of defence.
  5. If your smartphone allows, and most do, enable the feature that automatically erases all data in the event of multiple failed password attempts (usually 10 or so).
  6. If available, enable anti-theft software (often through the cloud) that allows you to lock your device remotely if it is stolen. Enable and activate the “find my phone/device” function so if your phone or tablet is stolen, you can track it, disable it, and change all the passwords.
  7. Be mindful of movies, books, and other things you have loaded into your devices that could be considered pornographic and otherwise illegal in certain other countries. Also, some downloads considered legal in the U.S. may actually violate local intellectual property or digital asset rights in other countries, should your device be searched. Just err on the side of caution and store and remove anything that might be construed as such.
  8. Disable Wi-Fi auto-connect options from all devices before you leave, such that you have to manually connect when you think it is safe to do so. The best approach is to buy a subscription to services that only connect to secure Wi-Fi hotspots throughout the world. Rates are inexpensive and getting more so all the time. Just do a search on “unlimited wifi.” If you will need to transfer or access sensitive data abroad, consider getting a highly secure VPN connection on a daily or weekly rental basis. Just search “VPN rental.”
  9. Similarly, disable Bluetooth connectivity. If left on, cyber thieves can connect to your device in a number of different and easy ways. Once they are in, your cyber world is their oyster!
  10. Finally if you do not have an international subscriber identity module, better known as a SIM card or do not have a roaming package on your smartphone, your two-factor authorisation access will be limited. All the more reason to purchase a secure Wi-Fi data plan.

Now that you’ve arrived…

The tips and tricks in this list really won’t take long at all for travellers to put in place. Doing so is great insurance against many of the cyber threats that lurk when your plane touches down on foreign soil. But once that happens and your excitement builds as you head to the luggage carousel, your cybersecurity work is not done. Here are some steps to promote cyber-safety on the ground:

  1. Double check to be sure all of your apps are password protected with fresh, new passwords, ideally stored in your password management system so you don’t have to remember any of them. And don’t use the same PIN for hotel room safes that you use for your device password.
  2. At all cost, avoid using “public” digital devices, such as those at coffee houses, libraries, and bookstores. They are often notoriously riddled with malware lurking to steal your information. If you use them, you should presume that someone other than you would see any information you enter.
  3. Be very careful about connecting to any Wi-Fi network if you haven’t subscribed to a global service previously, per the tip above. These are prime milieus for cyberthieves. Say you are in a train station (bahnhof) in Germany. You scan your device for a wireless network and there are several. A legitimate one might be “bahnhofwifi”—but you don’t know that. A cyberthief has set up his own Wi-Fi trap and it shows up as “bahnhoffwifi,” with but one letter changed. Connect to that and your troubles are just starting.
  4. Don’t charge your devices using anything other than your own chargers plugged directly into the wall or into your adapter. It is easy for cyber thieves to install malware onto hotel and other public docking stations.
  5. Never connect any USB drive or other removable media that you don’t personally own. Again, they are easy to load with malicious software.
  6. This goes without saying, but NEVER let your devices leave your sight. If you cannot physically lock devices in your hotel room safe or other secure place, take them with you. There are no good hiding spots in your hotel room. And, of course, never check your devices with your luggage.
  7. Most social media sites are happy to automatically share your location as you post photos and messages. This also tells thieves back home that you are away, which is a great time to break in. So limit the information you post regarding your location at any point in time.

Bon voyage! And safe cyber-travels.

Darren Guccione is Co-founder and CEO of Keeper Security,  a password manager app and digital vault for consumers and enterprises with 9 million+ users. 

Cyber Criminals Could Hold Your Data Hostage

Password theft, identity theft, ransomware – in an age where hacking has become the career of choice for tech-savvy criminals, data protection must be a top priority for CPOs.

“Cyber criminals don’t need to even leave their house to do damage,” says Craig Hancock, cybersecurity expert and Executive Director of Telstra Service Operations. “One breach of trust and the consequences can be irreparable. These days, the traditional idea of criminals – think balaclavas, weaponry, a getaway car – has moved off the streets and into cyberspace.”

Are you prepared for cyber criminals? Do you have your business information secured? How do you manage the confidential information of your customers? And what do you have in place to mitigate risk?

Hancock will deliver a cybersecurity update at the upcoming 10th Asia-Pacific CPO Forum, where he’ll demonstrate how frighteningly easy it is to steal data from a computer by showing a live hack. “I’m planning on showing the group how easy it can be to hack a business, with basic tools and knowledge. I want to make sure everyone is aware about what goes on in the world of cybersecurity threats, and give them some understanding of what they should be doing to help mitigate these threats.”

“Mitigate” is a key word here, as Hancock predicts the cybersecurity challenge faced by businesses and organisations will continue to grow year on year. Notably, he says that any organisation offering a fix-all solution to “solve” your cybersecurity challenge should be avoided.

“It’s an ongoing challenge – cybersecurity has evolved enormously from five years ago, and is likely to look entirely different again by 2020. There’s no single ‘fix’ and there are plenty of bright, shiny objects to distract your security team. You would be wise to put in place some basic, common-sense measures and controls and partner with an organisation that understands the extent of the threat.”

What are the risks?

Cybercrime can be initiated through your head office, at weak point in your supply chain, or even through IoT-enabled devices with low-level protection. Among the types of crime that can take place, Hancock mentions:

  • Password theft: with the obvious prize being the password or access code to users’ bank accounts.
  • Identity theft: a customer’s date of birth and other key information (such as health records) enables criminals to assume their identity, or to sell on this information to others. This can be very expensive for the company that has suffered the breach.
  • Ransomware: Hackers can lock your company’s data in an encrypted vault and demand a ransom for its release. A famous example of this occurred last year when a cyberattack on a Los Angeles hospital left doctors locked out of patient records for over a week, with the hackers demanding a ransom of $3.7 million in Bitcoin.

Telstra’s Craig Hancock will deliver a cybersecurity update at PIVOT: The Faculty’s 10th Annual Asia Pacific CPO Forum.

US Intelligence to Aid Supply Chains Against Cyber Attacks

A new US Intelligence campaign is set to help supply chains defend themselves against cyber attacks.

Cyber attacks

As businesses and supply chains grow increasingly more global, inevitably risk increases at the same rate. One of the most high profile risks for supply chains currently is are cyber attacks and hacking.

With each passing year, the cyber attacks get bigger. In June, the Democratic National Committee was breached by Russian hackers, and 20,000 e-mails, linked to Hillary Clinton’s Presidential campaign, were posted online.

In March, the Bangladesh Federal Reserve lost $100 million to hackers, with only $20 million recovered so far. Over 4,700 cyber attacks have been reported in the US alone since 2005, impacting hundreds of millions of people.

However, organisations with cross-border supply chains are about to get a helping hand in the fight against cyber attacks.

Cyber Attacks & Vulnerable Supply Chains

The National Counterintelligence and Security Centre will provide sensitive information, including classified threat reports, to companies about the risks of hacking in their supply chains.

The move is part of an effort to increase responsibility and education for organisations for supply chain security. It has previously been highlighted that there is a lack of understanding in US companies that having international suppliers makes supply chains vulnerable to cyber attacks.

“The supply chain threat is one that’s the least talked about but is the easiest to manipulate for all aspects of our daily lives,” said NCSC Director, William Evanina.

Domestic & Foreign Threats

The NCSC campaign will initially focus on supply chains linked to both China and Russia, the alleged sources of previous hacks. However, it will also be aimed at domestic hackers, criminal enterprises, and even disaffected former employees.

The campaign will prioritise telecommunications, energy and financial services corporations first. This is in part due to the nature of the business, but also their strategic importance to US national security.

And as well as cyber attacks, the NSCS will also be providing information and advice on so-called “hands on” crimes, such as stealing of classified information, or destruction of sensitive equipment.

Procurement Must “Play Full Part”

As part of the efforts to reduce cyber attacks, the key role of procurement has been highlighted. Evanina emphasised that procurement need to be fully integrated with other areas of the organisation to help mitigate risk.

He highlighted the role of ongoing due diligence to support initial investment in cyber security software and programmes. This would be carried out by procurement, but in partnership with the other areas of the business.

Evanina expands on the role of procurement in this video. He states that research into suppliers, and their own supply chains is critical in mitigating the risk.

Wider World

Although the work to be carried out as part of the campaign is primarily aimed at US companies, the applicability is there for all global supply chains.

Many US-based companies will purchase goods from overseas suppliers, and at the same time there will be companies purchasing from US suppliers. The inter-connected nature of the supply chain, as well as increased connectivity across technological platforms, increases the risk to organisations.

Carrying out due diligence on suppliers, knowing the full supply chain, and, perhaps most importantly, ensuring procurement plays a full part in organisational security, is a way to help mitigate this risk.

Will your organisation be taking advantage of the advice from the NCSC? Will you be impacted by any changes that take place? Let us know in the comments below.

Want to know what’s happening in the world of procurement and supply chain? Well, we’ve picked out the key headlines from the past week to keep you up to date…

Verisk Maplecroft Releases Modern Slavery Index
  • Global Risk Analysts, Verisk Maplecroft, have released their latest supply chain modern slavery index.
  • According to the Index, modern slavery constitutes a ‘high’ or ‘extreme risk’ in 115 countries worldwide.
  • Major exporters China and India fall again into the extreme risk category. The UK is one of only four countries seen as ‘low risk’
  • The report notes that most countries have some form of anti-slavery legislation or framework in place, but lack the resources to enforce these laws.

Read more at Forbes

African Countries Ban Secondhand Clothing Imports
  • A ban on imports of secondhand clothing is to be implemented by the Governments of the East African Community.
  • The group, including Kenya, Tanzania, and Uganda, proposed the ban in order to stimulate the apparel industry in their countries.
  • It is hoped that the measure will also create jobs and bolster the countries’ economies.
  • The rise of ‘fast fashion’ has led to a dramatic increase in the region’s secondhand clothing imports over the past decade.

Read more at Sustainable Brands

Scotland Launches Brexit Stimulus Fund
  • The Scottish Government has announced plans to create a stimulus fund following the UK’s decision to leave the EU.
  • The fund will add an additional £100 million to capital spending to support Scottish businesses.
  • Funds will be allocated to projects based on jobs creation and impact on the overall supply chain.
  • The Government also announced the creation of Business Information Service to support businesses affected by vote.

Read more at Supply Management

Shipping Industry Struggles Continue
  • As the results for the first half of 2016 are released, the struggles in the shipping industry look set to continue.
  • Hapag-Lloyd and Orient Overseas have both reported first half losses for 2016, with Maersk expected to do likewise this week.
  • Decreasing freight rates and over capacity have been blamed for the current plight in the industry.
  • Hapag-Lloyd plans on acquiring United Arab Shopping Co., a deal that could deliver $400 million in savings annually.

Read more at the Wall Street Journal