Pandemic, war prompt some supply chain links to put cybersecurity on hold, consultant says
5/4/2022
By Grace Renderman, Associate Editor
During the COVID-19 pandemic, cybersecurity has become an afterthought for some links in the global supply chain, suggests a recent report from cybersecurity/digital privacy company Kaspersky and international freight transport insurer TT Club.
The report — “Supply Chain Cybersecurity: Potential Threats and Rising to the Challenge” — alleges cybersecurity has been “deprioritized” despite a rise in cyberattacks during a global supply chain crisis that has limited the shipping of everyday items including food and electronics. Companies have reported a 30% rise in cyberattacks across the United Kingdom and Benelux, the intergovernmental organization that includes Belgium, Luxembourg and the Netherlands, the report's writers say.
There are reasons for the deprioritization. Many businesses haven’t been able to focus on cybersecurity while the pandemic, war and other global disruptions threatened their actual existence, says David Emm, principal security researcher at Kaspersky.
“Can we get the supply of goods and services that we need? Can we maintain our actual production facilities ... our distribution, transport of goods, and so on,” Emm says. “They focused on fixing those, or at least doing the best they could to make sure that posed as little impact as possible on their business.”
COVID-19 has offered a persistent “hook” that allows attackers to “milk every part of the pandemic.” — David Emm, principal security researcher at Kaspersky KasperskyEven so, it’s more important than ever for companies to stay vigilant in the cyber arena, given the ever-shifting geopolitical environment. Attackers take advantage of the chaos and confusion amid conflict, from opportunists looking to make a quick buck to organized financial attacks, Emm says. While typical cyberattacks focus on popular shopping holidays like Black Friday and Christmas, which only come once a year, COVID-19 has offered a persistent “hook” that allows attackers to “milk every part of the pandemic,” he says.
Another reason cyberattacks are on the rise: More people are working remotely, Emm says. The decentralization of the workplace can lead to an employee base unprepared to contend with cyber threats that normally would be addressed by an IT department. Phishing emails, remote desktop hacking and fraud are among the issues non-IT employees are often unequipped to deal with, Emm says.
“What the pandemic provided was a topic which was persistent. In other words, it wasn't here today and gone next week, but something that existed over a period of years, as it's turned out,” Emm says. “So, [attackers] were posing as delivery companies, anything to try to get people to click on links or disclose sensitive information.”
The war in Ukraine also poses serious threats to the security of organizations serving within a government’s “critical infrastructure,” Emm says. Due to the world’s heavy dependence on internet connectivity, supply-chain disruptions are much easier to accomplish with the right technology and the click of a button. That’s especially critical when it comes to defense against invasions, where a nation can not only be physically impaired, but technologically impaired, too, by cyberattacks against communication centers, hospitals and national security agencies, Emm says.
“Geopolitics is, and has been for some time, one of the elements woven into the threat landscape as a whole,” he adds. “Governments of all complexions in all geographic zones are flagging to companies the importance of cybersecurity as a way of ensuring that they're not, on the one hand, collateral damage ... but also to ensure that those companies with a strategic place within a nation's sovereign environment … don't fall victim to attacks related in some way to the real-world conflict.”
All companies should have basic readiness and preparedness to deal with cyberattacks — from endpoint protection (securing logins to devices) to a good backup plan to risk assessment processes. All companies also should have skilled IT staff who are familiar with cybersecurity protocols, or at least able to connect with independent cybersecurity consultants, he says. Companies should audit their suppliers’ cybersecurity processes and assess their cybersecurity risks. Even suppliers going in and out of facilities need to be assessed if they have access to sensitive data, Emm says.
Bottom line: Wherever risk is taken on, it needs to be managed, Emm says.
“We accept risk all the time in life, and I think that's true of businesses anywhere,” he says. “I think the key, though, is don't blindly accept risk.”
