Human Error in Your Supply Chain Could Cost You Millions
Mistakes happen. No matter how strong your security, or that of your vendors, a single mistake anywhere in your supply chain can quickly become a balance sheet liability. The average cost of a cyberattack is almost $3 million. Are you financially prepared? Learn how you’re vulnerable and why the right stand-alone cyber policy can protect you.
WHY THIS MATTERS
We know that manufacturers must beware of threats in cyberspace – known and unknown.
We know the manufacturing supply chain may be broken by a cyberattack on a supplier – either a long-term or substitute third-party vendor (during COVID-19).
We know that if your business holds critical or sensitive data, important client lists, PII, PHI, PCI, or intellectual property, then you become a target to hackers looking to steal valuable data. The size of your business holds less weight cybercriminals than the monetary value of the data you hold.
We know that if you visualize your supply chain as a chain of islands, then you can envision how easily hackers island hop from a supplier’s network into your network via an open point of entry.
We do not know who will attack your supply chain, but we know that hackers will attempt to do so. Do you have the finances to fund a cyber incident response – to rise from it – without falling permanently? That is the purpose of comprehensive cyber insurance?
"Our greatest glory is not in never falling, but in rising every time we fall."
Hackers may gain unauthorized access inside a supplier's network and then access a manufacturer's network for days, weeks, or months without detection. Once inside, fraudsters conduct social engineering, leading to a data breach, ransomware attack, or funds transfer fraud.
McKinsey advises manufacturers to stress-test your industrial supply chain to remain vigilant during the increase in supply-chain cyberattacks during COVID-19. For example:
- Social engineering (leading to phishing emails, texts, and phone calls) has increased.
- Ransomware attacks have increased.
- Data breaches (in conjunction with ransomware attacks) have increased.
- Funds transfer fraud has increased.
Third-Party Vendor Cyber Risk
Partnering with a third-party supplier requires sharing confidential and sensitive information. If companies ignore cybersecurity weaknesses, they put themselves in the line of fire of bad actors.
Blue Voyant research reveals four in five firms have suffered a cybersecurity breach caused by a third-party vendor.
Regarding manufacturing, the survey found the Industrial Internet of things (IIOT), where production machines communicate with one another, causes more cyber risk —disabling all or part of the IIOT or harvesting data from the IIOT increases.
Blue Voyant surveyed 250 executives in the manufacturing sector. Of those respondents, 57 percent said they had suffered a cyber breach in their supply chain in the past 12 months. Also, 82 percent said they do not monitor all suppliers for cyber risk.
Island Hopping with a COVID-19 Twist
The term "Island Hopping" began during WWII on the Pacific Front when Allied forces breached smaller islands to access the primary target.
In cyberspace, the term refers to an attack where supply chains and partners are commandeered to target the primary target, such as a supplier, a distributor, or a financial institution. By attacking the supply chain and third parties around larger organizations, bad actors can island hop their way into larger networks.
VMware Carbon Black's 2020 Global Incident Response Threat Report illustrates that cybercriminals use our home office spaces as a launchpad to compromise and conduct criminal conspiracies in professional organizations. "In other words, attackers are still island hopping – but instead of starting from one organization's network and moving along the supply chain, the attack may now originate in home infrastructures. The 2020 survey revealed that about a third of respondents experienced island-hopping attacks, 40 percent of which spread destructive malware.
Furthermore, island hopping has been primarily aimed at the financial sector, where 50 percent of incident response professionals witnessed this attack method.
Cyber Risk Management
Cyber risk management (CRM) should help your company assess, prevent, detect, monitor, and mitigate cyber loss.
Due to the lack of visibility when hackers initially attack a vendor or supplier, you need to be diligent about your business's cybersecurity measures and your suppliers' businesses.
Conducting a supply chain risk pre-assessment will help you protect your data and that of your clients.
Third-Party Risk Management
Third-Party Risk Management (TPRM) is fundamentally a supply chain risk pre-assessment of significant security and risk control, viewed through three lenses:
- Organizational – criticality of the business relationship, the amount of sensitive data shared, and business culture.
- Compliance – the level of assurance needed, completeness of statutory requirements, any previous violations, and policy maturity level.
- Technical – the type of cloud usage, data processing environment, data access and storage approaches, use, and subcontractors.
Whether your business undertakes a CRM plan and a TPRM assessment, there is no 100 percent guarantee of avoiding all cyber risks. The human element is relevant -- even more so when employees working remotely during COVID-19 become more distracted or emotional.
Humans Are the Weakest Link
We often hear about "human error," causing a cyber incident. What does that mean?
Referring to human error means that a member of your team, or a third-party supplier, may override or circumvent your cybersecurity measures, unaware of the cyber risk. Humans make mistakes, and 58% of organizations studied by Netwrix report that employees ignore cybersecurity policies and guidelines.
For example, one cyber risk involves spoof emails (aka phishing emails) sent by cyber thieves to employees who may be unaware of the cyber threat. Even if employees are aware of cyber risks, they may be distracted while working from home or working remotely. They may unwittingly open a link or attachment in a text or email which releases malicious code or malware into your network, allowing fraudsters to explore your network.
Once inside your network, hackers can conduct social engineering, giving them plenty of time (sometimes hours, days, weeks, or months) to understand your communications. These bad actors create authentic-looking imposter emails, texts, and phone calls to use in funds transfer fraud, ransomware attacks, or data breaches.
- Assume that there will be some human error—test, test, and re-test. Regularly-tested employee awareness training is vital, so much so that some cyber insurance carriers now provide financial support for those efforts.
- Ensure cybersecurity best practices throughout the supply chain via third-party vendor risk assessments and service agreements. Your legal counsel can advise you on vendor agreements that require cyber insurance.
- Invest in comprehensive Stand-Alone Cyber Insurance to help you survive and continue to thrive after a cyber event.
The Case for Stand-Alone Cyber Insurance
If your company falls, can it get back up and recover?
Your business stands a better chance of recovery with a comprehensive Stand-Alone Cyber Insurance policy that provides coverage to protect your business against cyber-related losses.
Here are some of the benefits:
If you suffer a data breach, your business will need to:
- stop the breach,
- conduct a forensic investigation,
- notify all those impacted,
- recover or restore your data,
- use public relations to maintain your brand, and
- defend third-party liability claims or lawsuits for damages by injured parties.
If you suffer a ransomware attack:
- you can obtain support in negotiating the ransom demand, and
- be compensated for the ransom payment (made with the prior written consent of the insurer).
If you experience business interruption from a cyberattack:
- you can be compensated for lost profits, and extra expenses such as payroll, during the downtime (after a brief waiting period).
If you experience funds transfer fraud:
- you can obtain support in recouping some of the funds and compensation for the funds that are not recovered.
Cyber Armada Insurance is prepared to help your company explore your opportunities to reduce and survive financial loss from a cyber event.
- Your organization needs to address the challenge of the rising threat of island hopping, targeting your suppliers to gain access to your network.
- Phishing emails and imposter emails succeed when hackers and fraudsters trick employees. From there, you may suffer a financial loss from a ransomware attack, funds transfer fraud, or invoice manipulation.
- Employee phishing email training and cyber risk awareness training have immeasurable value. The solution -- some cyber insurance carriers offer support to their policyholders' efforts to increase employees' cyber threat awareness.
- All supply chain members benefit from conducting test runs of new equipment, tracking software, logistics management tools, and safety measures. Why not do the same for cybersecurity measures? Even better, why not do so with the support of your cyber insurance carrier?
- Your business stands a better chance of not only surviving but thriving after a cyberattack with a dedicated Stand-Alone Cyber Insurance policy suited to your risk tolerance level.
Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to assist you with your Stand-Alone Cyber Insurance needs. We understand the evolving cyber risks, the dynamic cyber insurance market, and cyber insurance clients' demands.
Contact Cyber Armada today to explore how we can help your company survive the potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our next article on supply-chain risk in construction