Pandemic disruptions foster cybersecurity complacency

by Inside Logistics Online Staff

Supply chain disruptions have caused many companies to de-prioritize security as they struggle to acquire basic services like transportation.

A new report, produced by online security provider Kaspersky and freight transport insurer TT Club, has revealed that despite a rise in cyberattacks during the supply chain crisis, 16 percent of U.K. businesses de-emphasized cybersecurity last year amid the pandemic, port closures, driver shortages and other challenges associated with Brexit.

Yet at the same time, cybercriminals have become ever more sophisticated at exploiting organizational silos, security gaps caused by remote working, and the supply chain crisis, to undermine the safety and security of critical systems. So much so that companies across the UK and Benelux reported a 30 percent rise in the number of cyberattacks they faced during last year, compared to previous years.

Unprecedented attacks

The U.K. National Cyber Security Centre (NCSC) reported an unprecedented 777 incidents over the last 12 months – up from 723 the previous year. High-profile attacks, such as the SolarWinds attack in 2020, have demonstrated how threat actors can target a vast number of organizations by breaching a single link in a supply chain.

Despite these threats, the report – Supply Chain CyberSecurity: Potential Threats and Rising to the Challenge – found that both enterprises and SMEs are showing complacency when it comes to protecting the resilience of their supply chains. Even though almost three-quarters (72 percent) of companies said cybersecurity threats are their primary concern, only a third have the necessary internal resources and knowledge to respond to an incident.

Only 35 percent are certain they have taken every possible step to mitigate third-party risks in their organization.

Other priorities

The report found companies that de-prioritized cybersecurity did so in favour of other real-time challenges, such as truck driver shortages and other logistical issues caused by the pandemic.

 One should not underestimate cyber criminals. They are agile, focused and highly sophisticated, presenting a significant threat to businesses in the global supply chain,” said TT Club’s managing director, loss prevention Mike Yarwood.

“As we emerge from the Covid-19 pandemic, TT would encourage a re-evaluation of cyber risk policies and urge operators to satisfy themselves that sufficient resource is allocated to addressing this threat. Resilience in the face of cyber risk is critical.”

 A supply chain attack targets an organization by infiltrating or attacking a business that sits in its chain of suppliers. If one of these entities has low cybersecurity threat protection – or it is avoiding some specific cyber security hygiene protocols – it could become the entry point into a much wider network of suppliers. The risk can vary greatly.

Vulnerabilty

A vulnerability in one organization can significantly impact somewhere else in the supply chain, whether that’s via compromised personal identity or payment credentials. If a supply chain’s weak link is exploited, a business can be brought to its knees. Yet, the report reveals that just 20 percent of businesses have a third-party risk management solution in place and only 18 percent of companies have cyber/business resilience insurance.

“The pandemic, Brexit and supply chain crisis have complicated the cyber threat landscape, making it crucial that organizations take steps to defend against evolving threats under new circumstances,” said David Emm, principal security researcher at Kaspersky.

“Cyberattacks and data breaches can be highly injurious to any business in terms of damage to reputation, costs of remediation, lost business and other expenses. Companies must ensure they only share data with reliable third parties and extend their existing security requirements to suppliers. We urge businesses large and small to scrutinise their suppliers’ credentials as part of the standard due diligence and contracting process, or risk sleepwalking into a cybersecurity disaster.”