For years now, experts have warned that new technologies could be exposing users to additional risks due to security loopholes or simply lack of training. Last year’s malware attacks that struck the logistics industry underscored just how vulnerable supply chains really were, and subsequently prompted an industry-wide soul searching.
“Is your company ready for the next attack?”
Now that companies have hundreds of thousands or millions of endpoints constantly writing data to and reading data from their systems, the number of entry points for hackers is growing. That will only get worse. Trends like e-commerce, and a growing global class of super-consumers means that more marketplace value will shift towards logistics. That’s going to attract more criminals as well.
The good news is, there’s are plenty of steps companies can take to ward off most of these threats. In this installment of Executive Insights, we chatted with PhishTrain Co-Founder Jake Sylvestre about how managers should think about security, and what steps they can take to protect their clients, their reputations, and ultimately, their bottom line.
Shipping and Freight Resource: How have recent technological advances opened up new risks for supply chain companies?
Jake Sylvester: While the digital transformation of supply chains has improved efficiency greatly, it has also opened up many new attack surfaces. A decade ago, most supply chain management systems consisted of a monolithic SAP instance and many consoles with access to that software. Today, some companies have hundreds of thousands or millions of endpoints constantly writing data to and reading data from their systems. Every one of these endpoints represents another potential attack surface and therefore something that has to be continuously audited, monitored and kept up to date.
Perhaps more threatening to the supply chain industry than any technology advance over the last two decades is the sheer growth of the industry. Supply chain management has been adding hundreds of thousands of jobs. A recent report from MHI related that there are currently six to eight supply chain management jobs available for every applicant. This rapid growth, while beneficial to the supply chain management industry has opened up a Pandora’s box of risk. Today you have more employees than ever, interacting with more data than ever and with more attack surfaces than ever. The risks have just exploded as the industry has grown.
What role does training play in maintaining cyber security, and where can companies start if they want to ramp up?
Training is incredibly important in maintaining security. To simultaneously overuse a cliche, and make a bad supply chain management pun “You’re only as strong as your weakest link”. Training in supply chain management can be incredibly tough to do: employees can be spread out across the globe, peak shipping times can make getting even an hour of training in nearly impossible.
That’s why it is important to have a carefully planned out training strategy. If you have peak times in the year where doing at length training isn’t tenable (such as Christmas) then stick to an email warning employees to stay aware during that time of the year. More importantly, make sure to teach employees what to stay aware of. If your organization is big enough, I would strongly urge you to setup a security awareness training program through a company like us or Global Learning Systems. The risk mitigation of these programs far outweigh the costs.
What new threats have emerged, and what is PhishTrain’s approach to staying ahead of cyber criminals?
While I believe that the explosion of the Internet of Things (IoT) endpoints in supply chain does represent a major security risk, I think the biggest risk remains the human element. Phishing is nothing new and remains the biggest risk to any company. How phishing attacks are being carried out has become incredibly advanced. For instance, some phishing attacks now consist of calling your telephone provider and pretending to be you in order to switch your phone number over to a phone owned by the attacker. This is followed by using your phone number as two factor verification to reset your password. Finally, they will use your email to monitor conversations with your partners and have them wire money to an account not belonging to you. This level of complexity is becoming increasingly common across all industries, but is even more threatening to the supply chain industry.
Consider this: using the method above, someone hacks into one of your employees emails and tells them to ship goods to the wrong place. These goods could even be sensitive such as pharmaceuticals, chemicals or other substances that you and your customers wouldn’t want getting into the wrong hands.
PhishTrain is getting ahead of these threats by designing phishing simulation tests that address the above attack vectors and training that continuously makes employees aware of these threats.
For smaller companies that don’t have internal cybersecurity experts, what questions should they start by asking themselves, to know what to do next?
Despite not having internal cybersecurity experts, most companies have some kind of managed service provider (MSP) that handles their technology. My recommendation would be to make sure that these managed service providers are on top of security and ask them about security awareness training programs. Despite the risks, many smaller managed service providers have yet to set up any kind of security awareness training programs. Unfortunately, many customers have to advocate for themselves in this regard.
Can you talk about striking the right security balance between technology and training, and what role the human element plays in 2018?
Most hackers are what I like to call “vector agnostic”. That means they don’t care if they get into your system through a fancy “0-day” malware exploit or if they call you and get you to hand over your login information. They’re more like water taking the path of least resistance to get into your systems. These days most technology systems whether it be Google, Okta or your C3/SAP system have security built into them. They are hard to penetrate because the software market has demanded security be built into these systems. When you pay your SaaS subscription with these companies, you’re already paying for security.
The same cannot be said for personnel. While I recommend keeping all of your systems up to date (especially with installed software like Windows), security breaches are almost always going to come in the form of direct attacks on your employees. The trick is to never get blinded by your technology into thinking you don’t need training. The human element is the most vulnerable part of an organization. Training is the way to make sure that vulnerability doesn’t turn into a breach.