Sepio | Blog

Supply Chain Risks During the COVID-19 Pandemic

Supply Chains

Shift to remote work

COVID-19 has changed the world. The global economy is crashing, some countries are in complete lockdown, people are wearing masks and other PPE when they step into the great outdoors and, most importantly, almost all organizations that are still operating during this time have had to shift to remote work. Sure, nowadays a lot of organizations are up to date with technology and have sufficient equipment to work remotely. Additionally, start-ups seem to rely on technology to carry out operations anyway, so are seemingly unaffected by this transition. But what about the supply chain?

Have you stopped to think how they are dealing with this shift? And I don’t mean emotionally. You might have suitable cybersecurity measures in place, but do your suppliers? Locking the door of your home is completely ineffective if there is someone outside willingly opening it.

Typically, manufacturers’ infrastructure is still made up of legacy components that were built without taking cybersecurity into account. Now that they suddenly need to be accessible remotely leaves a number of vulnerabilities available for bad actors to exploit and, believe me, they will find a way to do so. To make matters worse, the transition has been abrupt when a change of this magnitude would typically require a timely project.

WFH shift leaves inevitable entry points for an attack

This instantaneous shift leaves inevitable entry points for an attack to take place and, with a scaled-down workforce, there is even greater risk that these vulnerabilities will not be detected and patched. Furthermore, since this is a new area of operations for some supply chain manufacturers, employees will not be educated on the risks of working remotely, thus adding greater risk as reckless actions by uninformed staff cause a quarter of all cyberattacks.

Even before the effects of COVID-19, malicious actors frequently targeted an organization’s supply chain as they are often easier to infiltrate. Now that they are even less secure, the number of attacks (attempted or successful) will naturally increase. Connecting to the network (which has been built quickly, with infrequent oversight) remotely opens up a number of risks, some of which can easily be prevented by implementing up to date anti-virus software, IDS and VPNs.

Using “short cuts”

The fact that everything is done while rushing usually leads people to find some “short cuts” and use equipment, that previously they would not be considering using – and through this process, some Rogue Devices might find their way into the Enterprises assets. However, supply chain manufacturers who find cybersecurity a novel topic will be ignorant to all of the various protection measures simply because they have not had to deploy them before.

So, what can be done? Importantly, advise leaders in your supply chain to invest in security software to reduce the likelihood of a successful Rogue Device attack. The security software will help an inexperienced team by providing them with 24/7 monitoring of the systems. Non-critical systems that do not need to be online should not be online as it only puts the organization at greater risk if they are.

Education and awareness is key

When it comes to cybersecurity, education and awareness is key. Thus, it is crucial to communicate with leaders of your supply chain – and for them to relay this information back to their staff – about the increased risks of remote work and how they can take action to reduce the potential of an attack taking place. This includes emphasizing hygiene. And no, not telling employees to wash their hands for two minutes after every time they touch something – they already know about this. COVID-19 is improving hygiene in other areas too; cyber hygiene – know which devices are being used and for what purpose. Who else is using that device? What sort of company data is being accessed when using that device?

Simple steps like knowing one’s asset inventory and its uses will increase employees’ awareness of devices that may be vulnerable and take steps to reduce this, such as ensuring that the all authentication features on the device are enabled and that there is only one user of the device; your four year old child wanting to play games on your laptop may cause a damaging cyberattack by accidentally connecting a vulnerable device used by an attacker to gain off-site access or by opening a phishing email. Just say no. It’s worth the temper tantrum.

It is also important to stress to employees the importance of avoiding using the internet for personal use when connected to the company’s system. An effective method of ensuring this is to enforce whitelisting practices. If this cannot be done, emphasize that websites such as Gmail, Facebook and Netflix should not be accessed when on the company’s network. Hopefully your staff would not be watching the latest season of their favorite show when on the clock, anyway.

COVID-19 has brought about many different risks, yet those that are not health-related are sorely overlooked. An already frightening time need not be made even more unnerving by having an increased risk of a cyberattack. It is not enough for organizations themselves to have sufficient security enforcements in place, they must ensure that their supply chain does, too.  At this time, when supply chain manufacturers are making sudden operational shifts into unfamiliar territories, it is out of the organization’s own interest to aid their suppliers in making that transition to guarantee that adequate cybersecurity measurements are present across the supply chain. As they say, you are only as strong as your weakest link.

April 21st, 2020