Supply chain risk is front-page news. Across the world, supply chain problems have resulted in empty supermarket shelves, international concerns about the energy supplies that keep the lights on and trucks moving, and shortages of electronic components and construction materials.
The ransomware attack on the Colonial Pipeline that carries 45 percent of the U.S. East Coast’s supply of diesel, gasoline, and jet fuel was just one of the numerous breaches that have impacted global supply chains in the last 12 months. Maintaining agility may demand working with new partners — and quickly. But organizations must also manage the potential additional security risks, both to avoid reputational damage and to protect against the possible disruption costs following any ransomware attack or data breach.
The ongoing digitization of the supply chain, often facilitated through the cloud, has delivered significant efficiency and cost benefits resulting from shared data and systems in areas such as integrated planning and execution systems, logistics visibility, autonomous logistics, smart procurement and warehousing, spare parts management, and analytics.
For some companies, such as Siemens, that are working at the “bleeding edge” of supply chain innovation, the creation of a cloud-based operating system means that the manufacturer can process data in real time from millions of devices and sensors in plants, systems, machinery, and products dispersed throughout production processes and supply chains. Siemens may be working toward supply chain Nirvana, where processes and decisions happen with minimal human intervention. But the day-to-day reality for many suppliers, logistics providers, manufacturers, wholesalers, and retailers across the globe is that business happens in browsers, via email, and with shared files. And the more we use the Internet to collaborate, the more we’re exposed — in fact, research has shown that web and email attacks are behind 90 percent[1] of all breaches.
So, what proactive prevention steps can organizations take to avoid the growing risk of data loss and ransomware from online collaboration with new and existing supply chain partners?
It’s good to talk, but who is listening?
The increased adoption of cloud applications within the supply chain, accelerated by the challenges of Covid-19, has made the browser the most important productivity tool on any endpoint across the extended enterprise. At the same time, the vast majority of cyberattacks start with the browser. A determined attacker needs to do only a little research to understand your key suppliers, and then it’s easy to use this intelligence to target your users with bogus emails and infected attachments, websites, and downloadable documents.
Supply chains are evolving to be as much about the efficient exchange of information as they are about the flow of goods and services. But where there is external information sharing, security specialists are rightly uneasy. The Menlo Labs team has observed a steady rise in credential phishing attacks that are started by creating fake login pages or forms to steal users’ credentials for commonly used services, including email and document exchanges with supply chain partners.
Attackers may use credential phishing to breach a large organization’s smaller supply chain partners (whose controls may be easier to bypass) and then use an exchange of information, containing malware, as an easy way to move laterally and infect the large enterprise. If any large enterprise is consciously or unconsciously allowing smaller partners to store sensitive data, malicious actors don’t even need to move laterally — the larger company’s data is already freely available on the smaller company’s network.
Even the most well-trained professional can fall victim to a seemingly normal website or email that is, in fact, compromised. Instead of relying on employee training to recognize common scams, enterprises are exploring strategies that isolate employees’ devices. Rather than detecting threats and blocking employees from accessing potentially malicious web content, this new approach simply isolates all their endpoints from browser-based traffic.
How does this work exactly? Take a large, global manufacturer as an example. Because many of their employees were engaged in digital research and communications, the company was dealing with high volumes of phishing attacks and web malware. The result: high numbers of infected devices that required costly, time-consuming reimaging. While anti-phishing training for employees was having some impact in reducing these attacks, many employees continued to click on infected links, leading to credential theft and malware infection.
Adopting the isolation strategy changed everything for this company. Using isolation meant that all the unknown executable code from the Internet that employees previously came into contact with — including every website visited — was executed in a remote cloud container. No matter whether employees were surfing the web, reading emails, or downloading documents, it was impossible for malware to infect users’ devices or the network they were connected to. Better still, end users had no idea that these web sessions were actually occurring on the external Menlo platform, rather than on their devices, because there was no impact on accessibility or performance.
Trust your supply chain partners with Zero Trust
In 2020, 62 percent of all companies were targeted by ransomware.[2] Of those organizations that fell victim to ransomware, research shows that 58 percent paid the ransom.[3] But a startling fact is that one-third of those companies that decided to pay the ransom — figuring it was the best way to return to business as usual — never actually received the decryption keys or had their data returned. The result was a severe loss on all fronts.
The moment a ransomware attack is detected, it’s too late. Your systems have been compromised, the attackers already have what they need, and no amount of remediation is going to turn back the clock to unwind the damage.
For many organizations we talk to, greater resilience to ransomware attacks results from a Zero Trust approach to security. The race is on to create an impenetrable air gap — culturally moving to an assumption that no traffic should be trusted. This includes browser-based Internet traffic, in addition to the content within every email and document attachment.
But Zero Trust must also work at speed and scale, making legacy on-premises, appliance-based proxies that conduct the standard URL filtering and sandboxing just too laborious and inflexible to stop the very real threat of ransomware in its tracks.
To reduce risk but maintain agility, fast-moving organizations in the manufacturing, logistics, and wholesale industries are deploying solutions to prevent malicious code from ever reaching the network perimeter. They’re mobilizing isolation-powered cloud security to shut the door on malware from within any supply chain communications for good. Obviously, isolation — despite its many returns on investment — will not protect an entire supply chain. Cybersecurity for these vital networks also needs IT and security specialists to have conversations with a wide range of functions — such as sourcing, vendor management, and logistics — in a coordinated effort to reduce third-party risk.
Whatever information security management system you have in place or how rigorous your compliance, your supply chain partners may not take their security controls as seriously as you want or need them to. Knowing that these relationships create security gaps means a compromised supply chain partner can become an all-too-easy entry point to your network. There is no industry framework that mandates isolation or Zero Trust as requirements, but when it comes to managing third-party risk, perhaps there should be.
Learn how organizations are approaching Zero Trust security strategies in this new study by analyst firm ESG.
[1] Sources: Google, Verisign
[2] 2021 Cyberthreat Defense Report, Cyber Edge
[3] As above