Tag Archives: cyber threat supply chain

Are Employees the Weak Link in Company Cyber Security?

Are your employees leaving the door open for cyber attacks? Here’s how to help them reduce the cyber security threat.

employees weak link

Employees are a significant risk to their employer’s cyber security according to research by specialist global executive search and interim management company Norrie Johnston Recruitment (NJR).

The research forms part of NJR’s cyber security report, ‘How real is the threat and how can you reduce your risk‘. The report shows that:

  • 23 per cent of employees use the same password for different work applications.
  • 17 per cent write down their passwords.
  • 16 per cent work while connected to public Wi-Fi networks.
  • 15 per cent access social media sites on their work PCs.

Such bad habits and a lack of awareness about security mean that employees are inadvertently leaving companies’ cyber doors wide open to attack.

This research is supported by a report which incorporates the advice from fifteen experts in the field. In it, Benny Czarny, Founder of OPSWAT, discusses the top tips to avoid massive data breaches.

With Sony recently setting aside $15M to investigate the reasons for, and remediate the damage caused by, last year’s data breach, many of our customers—from large enterprises to small business—are wondering what they need to do to make sure they aren’t the next big data breach headline.

The good news is that most data breaches can be prevented by taking a common sense approach, coupled with some key IT security adjustments.

1. Employees’ security training is an absolute necessity. 

I cannot emphasise this point enough, as your network is only as safe as your most gullible employee. Even the most sophisticated security systems can be compromised by human error. The Sony breach started with phishing attacks.

And people still also use USB devices from unknown sources, which is allegedly how the Stuxnet worm was delivered.

2. Access to executable files should be limited to those who need them to complete their duties. 

Many threats are borne via self-extracting files. Therefore, limiting the number of employees who are allowed to receive this file type limits your exposure.

Your IT department absolutely needs the ability to work with executable files. Bob in accounting? Not so much!

3. MS Office documents and PDFs are common attack vectors. 

Vulnerabilities are identified in MS Office and Adobe Reader on a regular basis. While patches are typically released very quickly, if the patches are not applied in a timely fashion the vulnerability can still be exploited.

As an everyday precaution, document sanitisation is recommended to remove embedded threats in documents.

4. Data workflow audits are essential. 

Data can enter your organisation through many different points – email, FTP, external memory device, etc. Identifying your organisation’s entry points and taking steps to secure them is a critical step in avoiding data breaches.

At a minimum, scanning incoming and outgoing email attachments for viruses and threats, and implementing a secure file transfer solution, should be considered.

5. Store sensitive data in separate locations. 

Simple data segregation could have mitigated the impact of the Sony breach. The hack exposed both internal communications and unreleased video files.

Had the videos and emails been stored on two separate systems some of the damages may have been prevented.

6. Internal and external penetration tests are critical. 

Internal testing is a valuable tool, but hiring an outside party to attempt to breach your network will identify security holes your team may have missed.

7. Keep your security architecture confidential. 

You may be excited about your innovative networking solution or new cloud-based storage system, but think twice about making any of that information public!

8. Remember that traffic generated internally to your security system may still be suspect. 

For example, the Sony malware connected to an internal security system to impersonate legitimate traffic to disguise its malicious nature.

9. Multilayer defence is needed. 

I like to describe defence in depth by comparing it to the defence systems you might see at a castle. It could be defended by a large stone wall, followed by a deep moat, followed by a draw-bridge, followed by an iron gate, etc.

A single layer of defence is not sufficient for your data. It must be protected by multiple systems working in parallel. That way if one layer is breached your data is not exposed.

10. Finding your weakest security link is your top priority. 

Every office has one, and it will vary wildly from organisation to organisation. It might be the employee with their passwords taped to their monitor. It might be the deprecated Linux server everyone seems to have forgotten about.

You might not be looking for those weak links, but rest assured that cyber attackers are. The question is: Who will find them first?”

To read more useful and practical insights into topics including how to assess the scale of your risk level and managing the immediate aftermath of a security breach, download the full report.

US Intelligence to Aid Supply Chains Against Cyber Attacks

A new US Intelligence campaign is set to help supply chains defend themselves against cyber attacks.

Cyber attacks

As businesses and supply chains grow increasingly more global, inevitably risk increases at the same rate. One of the most high profile risks for supply chains currently is are cyber attacks and hacking.

With each passing year, the cyber attacks get bigger. In June, the Democratic National Committee was breached by Russian hackers, and 20,000 e-mails, linked to Hillary Clinton’s Presidential campaign, were posted online.

In March, the Bangladesh Federal Reserve lost $100 million to hackers, with only $20 million recovered so far. Over 4,700 cyber attacks have been reported in the US alone since 2005, impacting hundreds of millions of people.

However, organisations with cross-border supply chains are about to get a helping hand in the fight against cyber attacks.

Cyber Attacks & Vulnerable Supply Chains

The National Counterintelligence and Security Centre will provide sensitive information, including classified threat reports, to companies about the risks of hacking in their supply chains.

The move is part of an effort to increase responsibility and education for organisations for supply chain security. It has previously been highlighted that there is a lack of understanding in US companies that having international suppliers makes supply chains vulnerable to cyber attacks.

“The supply chain threat is one that’s the least talked about but is the easiest to manipulate for all aspects of our daily lives,” said NCSC Director, William Evanina.

Domestic & Foreign Threats

The NCSC campaign will initially focus on supply chains linked to both China and Russia, the alleged sources of previous hacks. However, it will also be aimed at domestic hackers, criminal enterprises, and even disaffected former employees.

The campaign will prioritise telecommunications, energy and financial services corporations first. This is in part due to the nature of the business, but also their strategic importance to US national security.

And as well as cyber attacks, the NSCS will also be providing information and advice on so-called “hands on” crimes, such as stealing of classified information, or destruction of sensitive equipment.

Procurement Must “Play Full Part”

As part of the efforts to reduce cyber attacks, the key role of procurement has been highlighted. Evanina emphasised that procurement need to be fully integrated with other areas of the organisation to help mitigate risk.

He highlighted the role of ongoing due diligence to support initial investment in cyber security software and programmes. This would be carried out by procurement, but in partnership with the other areas of the business.

Evanina expands on the role of procurement in this video. He states that research into suppliers, and their own supply chains is critical in mitigating the risk.

Wider World

Although the work to be carried out as part of the campaign is primarily aimed at US companies, the applicability is there for all global supply chains.

Many US-based companies will purchase goods from overseas suppliers, and at the same time there will be companies purchasing from US suppliers. The inter-connected nature of the supply chain, as well as increased connectivity across technological platforms, increases the risk to organisations.

Carrying out due diligence on suppliers, knowing the full supply chain, and, perhaps most importantly, ensuring procurement plays a full part in organisational security, is a way to help mitigate this risk.

Will your organisation be taking advantage of the advice from the NCSC? Will you be impacted by any changes that take place? Let us know in the comments below.

Want to know what’s happening in the world of procurement and supply chain? Well, we’ve picked out the key headlines from the past week to keep you up to date…

Verisk Maplecroft Releases Modern Slavery Index
  • Global Risk Analysts, Verisk Maplecroft, have released their latest supply chain modern slavery index.
  • According to the Index, modern slavery constitutes a ‘high’ or ‘extreme risk’ in 115 countries worldwide.
  • Major exporters China and India fall again into the extreme risk category. The UK is one of only four countries seen as ‘low risk’
  • The report notes that most countries have some form of anti-slavery legislation or framework in place, but lack the resources to enforce these laws.

Read more at Forbes

African Countries Ban Secondhand Clothing Imports
  • A ban on imports of secondhand clothing is to be implemented by the Governments of the East African Community.
  • The group, including Kenya, Tanzania, and Uganda, proposed the ban in order to stimulate the apparel industry in their countries.
  • It is hoped that the measure will also create jobs and bolster the countries’ economies.
  • The rise of ‘fast fashion’ has led to a dramatic increase in the region’s secondhand clothing imports over the past decade.

Read more at Sustainable Brands

Scotland Launches Brexit Stimulus Fund
  • The Scottish Government has announced plans to create a stimulus fund following the UK’s decision to leave the EU.
  • The fund will add an additional £100 million to capital spending to support Scottish businesses.
  • Funds will be allocated to projects based on jobs creation and impact on the overall supply chain.
  • The Government also announced the creation of Business Information Service to support businesses affected by vote.

Read more at Supply Management

Shipping Industry Struggles Continue
  • As the results for the first half of 2016 are released, the struggles in the shipping industry look set to continue.
  • Hapag-Lloyd and Orient Overseas have both reported first half losses for 2016, with Maersk expected to do likewise this week.
  • Decreasing freight rates and over capacity have been blamed for the current plight in the industry.
  • Hapag-Lloyd plans on acquiring United Arab Shopping Co., a deal that could deliver $400 million in savings annually.

Read more at the Wall Street Journal

Is shipping & the supply chain the ‘next playground for hackers’?

The International Maritime Bureau (IMB) is warning the maritime sector to be extra vigilant in light of increasing attacks from cyber criminals.

Do hackers pose a risk to the maritime industry?

For a bureau that has traditionally focussed its efforts on fighting piracy and armed robbery at sea, this new digital threat puts an entirely different menace in its crosshairs.

The IMB has been quoted as saying, “Recent events have shown that systems managing the movement of goods need to be strengthened against the threat of cyber-attacks.

“It is vital that lessons learnt from other industrial sectors are applied quickly to close down cyber vulnerabilities in shipping and the supply chain.”

This is cause for concern for the maritime industry especially as ships, containers and rigs are all connected to computer networks. If hackers find but one weakness, it can expose the entire network and make it open to exploitation on a grand scale.

Various cyber security experts have sounded off on this very subject during the past few months, and the media has been quick to pick up on it.  Reuters reported that a floating oil rig was compromised by hackers who tilted it onto its side.  The rig was out of action for an entire 19 days while harmful malware was removed from computer systems.

In Antwerp hackers gained access to port-side computers that enabled them to target specific containers, before making off with the booty and wiping away any telltale digital fingerprints.

The latest warning from the IMB quotes Mike Yarwood – TT Club’s insurance claims expert, speaking at the TOC Container Supply Chain Europe Conference in London. “We see incidents which at first appear to be a petty break-in at office facilities. The damage appears minimal – nothing is physically removed.”

Mike continues: “More thorough post incident investigations however reveal that the ‘thieves’ were actually installing spyware within the operator’s IT network.”

In scenarios similar to the incident in Antwerp, hackers tend to track individual containers through the supply chain to its destination port. Along the way the IT systems related to the cargo are infiltrated, resulting in the hackers either gaining entry to (or generating release codes for) specific containers.

The International Maritime Bureau is a specialized department of the International Chamber of Commerce.