4 Biggest Supply Chain Security Threats to Watch in 2023


The supply chain sector has always been a magnet for theft and fraud, but these risks multiply in the age of Industry 4.0. In addition to insider threats, robbery and run-of-the-mill deception, today’s companies also face a host of cybersecurity concerns.

Here is a look at some of the biggest supply chain security threats to watch in 2023. The most important thing is to appraise each of these risks using an incident response plan. Some 63% of senior executives and 67% of small-business owners polled in 2021 said they didn’t have one.

Studying your supply chain risks, taking them seriously and making remediation plans in advance of setbacks can set your business apart.

1. Third-Party Risks

It’s easy to forget that freight, distribution and fulfillment companies are single links in a long value chain. Awareness of how third-party business partners open your operation to risk is a critical first step in shoring up supply chain security. Here are just some of the classes of risk third parties represent:

  • Cybersecurity vulnerabilities: Are their hardware and software hardened against attack?
  • Compliance and regulatory risks: Do you and your partners understand local laws and reporting requirements?
  • Critical supply risks: Do climate events or geopolitical machinations threaten product or material supplies?
  • Corruption and culture: Do your partners practice business legitimately?

How can you address these risks confidently? Start by interviewing your potential partners to understand their challenges and what they’ve done to manage them. Ask questions like:

  • Does their technology incorporate endpoint detection and response (EDR)?
  • Do they conduct scheduled vulnerability assessments?
  • How many dedicated security staff members do they have?
  • What steps have they taken to vet their technology and fulfillment partners?
  • What regulations govern them, and how do they consistently address these requirements?

The supply chain is competitive, but it’s also a community. One weak link threatens all the others, as Toyota learned firsthand in early 2022. An attack on Kojima Industries, one of the company’s suppliers, caused it to shut down operations throughout Japan, losing roughly 13,000 cars of output. Successful attacks against large companies like this may encourage even more third-party attacks in 2023.

2. Application Programming Interfaces (APIs)

Gartner and other research firms have been sounding the alarm on APIs for years, saying they’re on track to become the most frequently exploited attack vector across the supply chain. APIs are powerful tools that make disparate technology platforms work together correctly. The trend of abusing APIs won’t let up in 2023 as they continue to proliferate.

Roughly 70% of software developers plan to use even more APIs in 2023 than in 2022, even after 63% increased their API reliance in 2022. This accelerating growth will make APIs an even more prominent target for cybercriminals. How can a supply chain company protect itself? One way is to know what resources you have and study them regularly to understand the threat landscape:

  • NIST and CVE reports and databases: The National Institute of Standards and Technology (NIST) and the Common Vulnerabilities and Exposures (CVE) project is a public database of known and emerging cybersecurity vulnerabilities.
  • Bug bounty programs and reports: Groups like BugCrowd, HackerOne, and publishers and developers of supply chain technology frequently sponsor bug bounties to find and patch digital exploits.
  • First-party vendor bulletins: Security bulletins published by vendors are not to be overlooked.
  • GitHub: Review public advisory databases on GitHub and similar code repositories.
  • Social media: Follow prominent security researchers and industry experts on social media to see where their attention is focused.

In 2022, Forbes used such resources to manually identify more than 190 individual API-based security exploits. You can do the same for the products and platforms you interact with.

3. Social Engineering

Successful campaigns based on extortion, phishing, smishing and vishing are on the rise. The U.S. Federal Trade Commission observed a $2.4 billion increase in funds lost to fraud between 2020 and 2021, and 2022–2023 is looking like a repeat of that trend. This costs American businesses and consumers $5.8 billion annually based on these numbers.

More people are becoming aware of phishing, so cybercriminals are shifting toward spear phishing, which targets specific individuals. These more personalized attacks are harder to spot as fake, making them more effective even against people who understand phishing trends. In a recent report, 79% of surveyed organizations reported spear phishing attacks, a rise of more than 10% over 2020.

Social engineering attacks are the vehicle favored to carry out these fraud and extortion attempts. Social engineering includes:

  • Phishing emails are designed to look like a legitimate supplier or business leader to trick the target into providing money, credentials or intellectual property.
  • Smishing attempts are similar to phishing but use SMS text messages to impersonate a known entity, like the 2022 Twilio attack. In this case, attackers impersonated Twilio’s IT department through text to get employees to reveal their login credentials.
  • Vishing involves the use of telephone calls or voicemail messages to attempt to trick the target into revealing sensitive information.

Some freight and distribution executives believe social engineering is the “main risk” facing companies in this space. Take these steps to protect your supply chain business:

  • Limit data access to individuals who require it to carry out their functions.
  • Conduct thorough social engineering and general cybersecurity training for new hires and provide scheduled refreshers for current associates.
  • Revoke digital and physical credentials immediately after employee departure termination.
  • Carry out random phishing tests to see if employees fall for fraudulent emails.
  • Consider having a keyword phrase for verifying you’re actually speaking with your vendors and partners during phone calls.

These proactive measures should enable you to create a security-conscious company culture with vigilant, informed and invested employees.

4. Data Breaches

Run-of-the-mill data breaches are some of the most devastating threats to the supply chain because they frequently go unnoticed until the worst of the damage is done. Research shows that the average response time to identify and contain a breach is 277 days.

Compared to a social engineering attack or a disclosed third-party vulnerability, there may not be a suspicious incident to tip you off. Your data may get compromised in the background, with your team none the wiser. That happened to Crane Worldwide Logistics, which noticed a potential data breach exposing thousands of customers’ information in December 2022. The company discovered sensitive information had become available to unauthorized third parties, but the cause or time of the incident was unclear.

Protecting yourself against data loss is a full-time commitment for in-house security personnel or a carefully vetted third-party security consultant. Here are the broad strokes of safeguarding your information:

  • Adopt a zero-trust security framework.
  • Use two-factor authentication (2FA) on all individual and company accounts.
  • Carry out regular penetration testing of company networks and databases to find weaknesses.
  • Purchase or subscribe to attack surface monitoring software to be more proactive about suspicious cloud and local network events.
  • Encrypt all data at rest and being transmitted. Encrypt cloud-bound information before it’s uploaded.
  • Insist on risk assessments among your third-party logistics partners.

Physical security is one part of data breach safety that frequently flies under the radar. Taking care to lock server closets and restrict access to sensitive equipment is a big part of keeping the organization safe.

Also, ensure there are clear and detailed procedures for any employee working on or
transporting devices containing company data, like computers or drives. Finally, if personal devices are permitted in company workflows, ensure there’s an equally thorough set of requirements for protecting them — both physically and digitally.

Supply Chain Security Is in Your Hands

It can feel like our hands are off the wheel sometimes where security is concerned, but fatalistic thinking won’t make us any safer. Social engineering and other forms of manipulation may be dishearteningly common in the supply chain, but no one is helpless. Even the simplest precautions, like limiting account access and using 2FA, will go a long way in keeping organizations safe.



Source link