Cyber Threats to the Defense Industrial Base Supply Chain
WHY THIS MATTERS
We know that the DIB must beware of threats in cyberspace – known and unknown.
We know the DIB supply chain may be broken by a cyberattack on a long-term supplier or a new third-party vendor.
We know that if your business holds critical or sensitive data, FCI, CUI, important client lists, PII, PHI, PCI, or intellectual property, then you become a target to hackers looking to steal valuable data.
We know that if you visualize your supply chain as a chain of islands, then you can envision how easily hackers island hop from a supplier’s network into your network via an open point of entry.
We do not know who will attack your supply chain or when – but we know that hackers will attack them.
"We have seen better days." – William Shakespeare
Hackers may gain unauthorized access inside a supplier's network, and then a Defense Industrial Base (DIB) contractor's network, for days, weeks, or months without detection. Once inside, fraudsters conduct social engineering, which may lead to funds transfer fraud via imposter emails, calls, text messages, or the use of phishing emails that lead to a ransomware attack or a data breach.
The 300,000 companies in the Defense Industrial Base (DIB) (prime contractors and subcontractors in the supply chain) must remain vigilant due to the increase in supply-chain cyberattacks during COVID-19. For example:
- Social engineering (and subsequent phishing emails, texts, and phone calls) has increased.
- Ransomware attacks have increased.
- Data breaches (in conjunction with ransomware attacks) have increased.
- Funds transfer fraud has increased.
Partnerships with Third-Party Suppliers
Partnering with a third-party supplier requires sharing confidential and sensitive information. If companies ignore cybersecurity weaknesses, they put themselves in the line of fire of bad actors.
In 2018, the Ponemon Institute teamed up with Opus on the third annual study, Data Risk in the Third-Party Ecosystem, surveying more than 1,000 chief information security officers (CISOs) from various industries in the US and UK.
According to the Opus and Ponemon study, 59 percent of companies said they had experienced a data breach caused by one of their vendors or third parties, with 61 percent in the US -- up 5 percent over the 2017 study and a 12 percent increase since 2016.
Furthermore, 22 percent of respondents admitted they did not know, and thus did not detect, if they had a third-party data breach in the past 12 months.
Overall, more than three-quarters of organizations believe that third-party cybersecurity incidents are increasing.
Businesses need to contemplate the negative consequences after a cyberattack. For example:
- Inability to recover sensitive data – 56%
- Loss of relationships with third parties & business partners – 54%
- Job loss – 45%
- Customers lost – 40%
- Financial damages and fines – 36%
- Corporate reputational damage – 26%
- Revenue loss – 23%
Dr. Larry Ponemon reported that companies need to control their third-party exposure and implement safeguards and processes to reduce their vulnerability.
Island Hopping with a COVID-19 Twist
The term "Island Hopping" began during WWII on the Pacific Front when Allied forces breached smaller islands to access the primary target.
In cyberspace, the term refers to an attack where supply chains and partners are commandeered to target the primary target, such as a supplier, a distributor, or a financial institution. By attacking the supply chain and third parties around larger organizations, bad actors can island hop their way into larger networks.
VMware Carbon Black's 2020 Global Incident Response Threat Report illustrates that cybercriminals use our home office spaces as a launchpad to compromise and conduct criminal conspiracies in professional organizations. "In other words, attackers are still island hopping – but instead of starting from one organization's network and moving along the supply chain, the attack may now originate in home infrastructures. The 2020 survey revealed that about a third of respondents experienced island-hopping attacks, 40 percent of which spread destructive malware.
Cyber Risk Management
Cyber Risk Management (CRM) should help your company assess, prevent, detect, monitor, and mitigate cyber loss.
Due to the lack of visibility when hackers initially attack a vendor or supplier, you need to be diligent about your business's cybersecurity measures and your suppliers' businesses.
Conducting a supply chain risk pre-assessment will help you protect your data and that of your clients.
Third-Party Risk Management
Third-Party Risk Management (TPRM) is fundamentally a supply chain risk pre-assessment of significant security and risk control, viewed through three lenses:
- Organizational – criticality of the business relationship, the amount of sensitive data shared, and business culture.
- Compliance – the level of assurance needed, completeness of statutory requirements, any previous violations, and policy maturity level.
- Technical – the type of cloud usage, data processing environment, data access and storage approaches, use, and subcontractors.
Whether your business undertakes a CRM plan and a TPRM assessment, there is no 100 percent guarantee of avoiding all cyber risks. The human element is relevant -- even more so when employees working remotely during COVID-19 become more distracted or emotional.
What is Meant by "Human Error"?
We often hear about "human error" causing a cyber incident. What does that mean?
Referring to human error means that a member of your team, or a third-party supplier, may override or circumvent your cybersecurity measures, unaware of the cyber risk. How?
For example, one cyber risk involves spoof emails (aka phishing emails) sent by cyber thieves to employees who may be unaware of the cyber threat. Even if employees are aware of cyber risks, they may be distracted while working from home or working remotely. They may unwittingly open a link or attachment in a text or email which releases malicious code or malware into your network, allowing fraudsters to explore your network.
Once inside your network, hackers can conduct social engineering, giving them plenty of time (sometimes hours, days, weeks, or months) to understand your communications. These bad actors create authentic-looking imposter emails, texts, and phone calls to use in funds transfer fraud, ransomware attacks, or data breaches.
- Assume that there will be some human error due to remote work distractions or outright trickery in ATP phishing email campaigns.
- Regularly-tested employee awareness training is vital, so much so that some cyber insurance carriers now provide financial support for those efforts.
- Ensure cybersecurity best practices throughout the supply chain via third-party vendor risk assessments and service agreements.
- Invest in comprehensive Stand-Alone Cyber Insurance to help you survive and continue to thrive after a cyber event.
The Case for Stand-Alone Cyber Insurance
Your business stands a better chance of recovery with a comprehensive Stand-Alone Cyber Insurance policy that provides coverage to protect your business against cyber-related losses.
Here are some of the benefits:
- If you suffer a data breach, your business will need to:
- stop the breach,
- conduct a forensic investigation,
- notify all those impacted,
- recover or restore your data,
- use public relations to maintain your brand, and
- defend third-party liability claims or lawsuits for damages by injured parties.
- If you suffer a ransomware attack:
- you can obtain support in negotiating the ransom demand, and
- be compensated for the ransom payment (made with the prior written consent of the insurer).
- If you experience business interruption from a cyberattack:
- you can be compensated for lost profits, and extra expenses such as payroll, during the downtime (after a brief waiting period).
- If you experience funds transfer fraud:
- you can obtain support in recouping some of the funds and compensation for the funds that are not recovered.
Cyber Armada Insurance is prepared to help your company explore your opportunities to reduce and survive financial loss from a cyber event.
- Your organization needs to address the challenge of the rising threat of island hopping, targeting your suppliers to gain access to your network.
- Phishing emails and imposter emails succeed when hackers and fraudsters trick employees. From there, you may suffer a financial loss from a ransomware attack, funds transfer fraud, or invoice manipulation.
- Employee phishing email training and cyber risk awareness training have immeasurable value. The solution -- some cyber insurance carriers offer support to their policyholders' efforts to increase employees' cyber threat awareness.
- All supply chain members benefit from conducting test runs of new equipment, tracking software, logistics management tools, and safety measures. Why not do the same for cybersecurity measures? Even better, why not do so with the support of your cyber insurance carrier?
- Your business stands a better chance of not only surviving but thriving after a cyberattack with a dedicated Stand-Alone Cyber Insurance policy suited to your risk tolerance level.
Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to assist you with your Stand-Alone Cyber Insurance needs. We understand the evolving cyber risks, the dynamic cyber insurance market, and the demands of cyber insurance clients.
Contact Cyber Armada today to explore how we can help your company survive the potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our next article, CMMC Requirements – Supply Chain Risks at the DOD – and Beyond.