Digital Cyberspace and Concentration Risk

The sudden scarcity of common household items that began in the spring of 2020 has become a global struggle to move goods from ports and warehouses to customers’ homes and factory floors. The classic supply chain has one company delivering components needed by another for manufacturing: today there are multiple kinds of complex supply chains using physical and digital modes of delivery. An example of an especially complex supply chain is when both the mode of delivery and the finished product are digital, for example, delivering or sustaining services such as software. SolarWinds, the Austin-based network software developer that suffered a massive cyber-attack in early 2020, is an example of this kind of supply chain. The complexity involved in that particular cyber incident opened a lot of people’s eyes to the scope of potential damage and disruption to complex supply chains.

As a supply chain example of a cyber event, SolarWinds is interesting because they produce a product used within their client’s own network to monitor that network, a software system delivered via a download. SolarWinds’ product was intended to perform various types of security functions within the client’s network, and as such, the client expected a resilient product. This is an example of a supply chain delivering function and support. When SolarWinds was breached, bad actors delivered a malicious component in a software update distributed via the cyber supply chain to hundreds if not 1000s of customers, making them vulnerable to a subsequent cyber-attack.

Because of the pandemic and increasing incidents of cyber-attacks, resilience has become top of mind for supply chain managers seeing to prevent devastating interruptions to services and product flows. Often overlooked is cyber security’s fundamental role in resilience, even when the supplier is assessed does not provide information technology services. The Colonial Pipeline shut down last summer is an example of this kind of scenario. That disruption was not related to any cyber services, it occurred when consumers couldn’t purchase gasoline because of a ransomware incident perpetrated on the company. The Colonial attack exposed additional complexities and vulnerabilities in today’s distribution supply chain that pertains to multiple industries.

Even today, there are still businesses that can avoid a significant disruption if their IT network gets shut down. However, in the Colonial incident, a cyber-attack did not take the pipeline offline: Colonial chose to take the pipeline offline in response to a ransomware threat to its billing system as an abundance of caution, as well as potential risks to its operations technology, which could have had a direct impact on the pipeline. There were also reports that with their billing system down, Colonial couldn’t track fuel deliveries, and thus couldn’t bill for them. This straightforward attack on a single, non-cyber target had complex impacts on the supply chain across the entire East Coast of the United States.

Adding to the complexity issue is the pandemic of ransomware striking companies in every sector and supply chain. Security rating companies provide scores, but companies with good cyber hygiene scores suffered ransomware attacks at a rate similar to those with poor scores. What does a company need to do to understand the probability of disruptions?

I have some basic recommendations. Check out Stop Ransomware, created by Homeland Security’s Counterintelligence Field Activity (CIFA). This website explains what ransomware is and features a section on how to avoid being attacked, including a downloadable guide with preventive best practices and a response checklist. These best practices are not new, but following them pays off. Phishing is one of the two most common vectors for bad actors. Educate your employees about phishing – it is one of the most important things you can do.

Accessing an open remote access server with hacked or stolen credentials is the second most-used vector for cyber attacks. Have employees create unique credentials for work systems and use multi-factor authentication. These are not bulletproof solutions, but they make getting in more challenging for bad actors, who are looking for the fast and easy way in.

Additionally, use a Sender Policy Framework (SPF) for your company’s email. It’s easy to set up, available for all major email services, and authenticates the validity of any email coming from the real sender’s domain to prevent spoofing (authentic-looking, malicious emails with forged addresses) and phishing. The best part is it’s probably already available for the services you have. Microsoft explains how it works.

Another useful resource is the Fair Institute’s Factor Analysis of Information Risk (FAIRTM), which helps businesses define their level of risk appetite and tolerance through analysis, and quantifies risk exposure in financial terms. FAIR creates a framework for establishing data collection criteria, measurement scales for risk factors, and a modeling construct for analyzing complex risk scenarios. Visit Quantitative Information Risk Management | The FAIR Institute.

A primary question in Third Party Risk Management (TPRM) is how many third parties does a company use? Small companies may use dozens; large companies, thousands. To illustrate how complexity expands in TPRM, imagine a CISO responsible for his own company’s third parties, of which there are a hundred. Then assume each of those vendors also uses a hundred third parties (nth parties), all of which present a level of risk to our CISO. (nth party graphic here). 10,000 potential sources of risk. It’s nearly impossible to effectively manage that kind of complexity, especially when it’s one of a dozen or more responsibilities. In response, third party risk management continues its reliance on regulatory and compliance processes. CISOs collect questionnaires designed to confirm a vendor’s security and validate their continued compliance with company requirements. The process works well until it doesn’t. SolarWinds had a very good compliance record. They received numerous industry certifications from their checklist process, and they still got breached because there were other issues.


The resources below can direct your approach to mitigating cyberattacks within your organization:


Blog Footer Cybersecurity