If Cyber's a War Get Out The Armor . . .
. . . And Strap On a New Military Mindset
by Kim Phelan
Every day, distributor executives are executing strategies to fine-tune processes, create more efficiencies and grow company profits – it should come as no surprise that cyber criminals are doing precisely the same thing, and they get better every year.
And their motives have shifted over the last 10–15 years. Where once cyber thieves were after intellectual property they could sell on the dark web, today the value in cyber theft is what it means to the victim being locked out of their own data, and what they will pay to access it again, says David Magee, chief technology officer and chief information and security officer at Turtle Technology Services, the company’s newly created cybersecurity division. With ransomware tools readily accessible, and legal ramifications lax to non-existent in many parts of the world, cyber theft has become big, organized, and rampant.
From the top echelons of the federal government, including the Department of Defense, and throughout industrial supply chains of the U.S. and beyond, the issue of cyber threats has stolen the spotlight among national priorities as officials and company management alike recognize that all it takes is one crack in the armor – if one business, however small, succumbs to an attack, all their partners can be similarly breached, says William Hutchison, CEO of SimSpace. He strongly advocates for Third-Party Risk Management (TPRM), the process of analyzing the risks associated with your supply chain and working to minimize those risks.
The resounding message from cybersecurity experts to the industrial distribution sector today is: No one is too small to become a target. Magee says companies in the mid-market space are particularly vulnerable to cyberattacks, and many suffer substantial financial setbacks. Like healthcare, he adds, cyber prevention is easier, cheaper, and far less painful than treatment.
While it’s easy for a solo hacking entrepreneur to make a good living on phishing, hacking has come of age, with smart and sophisticated operations comprised of well-trained software developers, managers, and investors, according to Walt Szablowski, president of Eracent, a cybersecurity firm that emphasizes process-based, Zero-Trust defense.
“Large groups of hackers develop a relationship with an organization and work to establish themselves on the target organization’s network,” he said. “Most large organizations have many hacking organizations resident on their networks. It is not one to one; it’s many to one . . . If you are a substantial organization, hackers invest time and money in infiltrating your organization.
“Hackers do not need sophisticated tools,” Szablowski continued. “Many organizations have such poor cybersecurity that hacking the organization is quite easy. But if the prize is sufficient, hackers will overwhelm the network with the most sophisticated attack possible.”
GUARDS UP
Industrial distribution companies face several evolving threats today, says Tom Brennan, executive director of CREST, an international not-for-profit accreditation and certification body that represents and supports the technical information security industry. He noted some of the latest challenges industrial distribution for companies include:
- Ransomware attacks: Ransomware can encrypt important files and data, rendering them unusable until a ransom is paid. These attacks can disrupt operations and cause significant financial losses.
- Phishing attacks: Crooks use social engineering techniques to trick employees into providing sensitive information or clicking on malicious links. Industrial distribution companies may be targeted because they often handle sensitive customer and supplier data.
- Supply chain attacks: Cybercriminals may target industrial distribution companies as a way to gain access to their customers’ and suppliers’ systems. This can involve compromising the industrial distribution company’s network and using it as a stepping stone to launch attacks on other companies.
- Internet of Things (IoT) vulnerabilities: Devices connected to your network, such as sensors, cameras, and other equipment, may have vulnerabilities that can be exploited by cybercriminals.
- Insider threats: A concern because many employees may have access to sensitive information and systems. Threats can include intentional data theft, accidental data exposure, or other malicious activity.
With so much at stake financially and because of great risk posed to supply chain partners, the mind-set required is no longer one of “should,” says Magee, but rather of “shall.” According to Gartner, by 2025, 60% of organizations will use cybersecurity risk as a primary criterion for determining business/supply chain relationships.
Preventing attacks cannot be done with technology alone, adds Michael Powell, chief information security officer, managed services, at Net at Work, an award-winning technology advisor that offers a wide portfolio of solutions, expertise and services to help wholesale distributors.
“Mitigation requires a set of security controls and practices that are tailored to fit each organization,” said Powell. “A good place to start is a security framework – implementing and demonstrating compliance with a framework, and mandating that your partners do, will help to reduce the size of the exploitable gaps.”
One highly recommended cybercompliance standard to assess your company against is NIST 800-171, (the basis for the Cybersecurity Maturity Model Certification) which provides organizations with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in non-federal systems and organizations, according to MxD, a Chicagobased organization in partnership with the DoD that equips U.S. factories with digital tools, cybersecurity, and workforce expertise.
This spring, the new CMMC 2.0 will go into effect, but for companies already compliant with NIST 800- 171, the most significant change coming is that self-assessment is being replaced by third-party compliance assessment, according to Laura Élan, director of cybersecurity at MxD. In other words, your word isn’t sufficient – as more supply chain partners begin requiring CMMC 2.0 compliance, distributors will be subject to providing objective proof that they’ve met all published cybersecurity requirements. Third-party assessment is a process that could take up to six months and, depending on the size of your company and scope of CUI, could cost from $15,000– $50,000, according to Élan.
READY FOR A FIGHT?
For all intents and purposes, cybercrime is a war, says Hutchison, and security teams responsible for protecting distribution companies need to bring a military mind-set to their preparations – training to failure like an army or navy.
“Only by stress-testing their readiness with combat-like simulations can businesses and their stakeholders gain visibility into their strengths and vulnerabilities,” Hutchison said. “As criminals continue to hone their tactics, techniques, and procedures, so security teams need to drive continuous improvements. Businesses should include their supply chain partners in their security audits, live-fire exercises, risk assessments, and employee training.
“Attacks initiated on large, well-resourced companies are now part of a war that requires private sector industries to better manage their security risks,” he added. “Sim- Space’s Cyber Force Platform allows commercial sector organizations to use the same government-grade cyber ranges that have been tried and tested by nation states and intelligence agencies around the world.”
Szablowski at Eracent says his company completely defines the network, identifies vulnerabilities, and establishes a process that can be measured, managed, and modified, which is the key to securing a network. The implementation of Eracent’s Zero Trust framework is guided by the NIST standards and Zero-Trust Architecture, he added.
“On top of that is a process to continuously redefine risks and have automated contingency plans to detect and handle attacks,” said Szablowski. “These are essential steps toward protecting the network. Ultimately, the effort results in a network that is too difficult to exploit, and the hackers move on.”
Net at Work’s Powell says cloud migration continues to be a key trend for today’s digital enablement, which can mitigate some of the common security vulnerabilities, but it’s not a silver bullet.
“That said, it also introduces new ones, and misconfiguration is a common attack vector for threat actors. In terms of legacy technology, we see an increasing number of organizations upgrading to next-generation antivirus and Endpoint/Extended Detection and Response to protect their on-premise servers and workstations. Technology that supports the Zero-Trust security model is also gaining traction, but the “never trust, always verify” ambition can be especially complex when it comes to manufacturing and distribution.
“Net at Work, as a technology advisor to small-to-medium sized businesses (SMBs), is pivoting to a secure-by-design and by-default approach to managed services. We understand that SMBs have security concerns and that budget is a big factor in determining what they can and can’t implement. We have designed our services to fit this space and secure the most common attack vectors, with 24/7 security monitoring and threat isolation, to help our customers unleash the power of their businesses as they digitally transform themselves.”
DON’T BE THE WEAK LINK
Companies with cyber insurance may tend to feel confident about their security position, but Magee at Turtle warns against complacency.
“Getting coverage is one thing,” he said, “getting paid is another. If there is any weakness on the application, forensics will discover it and the company may be vulnerable to paying ransom or fines. In addition to rebuilding the company and its reputation, a victim caught unprepared will suffer direct financial harm, will need to pay more for cybersecurity, more for insurance in the future, and is vulnerable to longer-term reputational loss and customer scrutiny.”
Jeopardizing customer and supplier relationships could be the worst threat of all for a distributor. In addition to conducting a thorough cyber assessment of where your company is at right now, the following best practices from Bobette Puckett at Alliant Insurance Services can help your organization reduce its exposure to cybercrime:
PREVENTION:
- Limit the number of parties with authority to initiate fund transfers and create accountability chains according to organizational risk.
- Require supervisory approval of changes to account details including contact information and bank routing numbers (offline/telephone approval).
- Require supervisory approval of all wire transfers above a certain amount (offline/telephone approval).
IDENTIFY:
- Identify key roles in which employees may be especially vulnerable to social engineering attacks including those in accounts payable with access to payroll, confidential corporate information and/or PII, and with approval/ oversight of critical systems and processes.
- Run regular reports showing all changes to vendor details.
VERIFY:
- All vendor bank accounts via direct call to a receiving bank, prior to establishment in the accounts payable system.
- Requested changes to vendor’s account details, including bank routing numbers and contact information, via direct phone call at a predetermined number.
- Do not attempt to verify changes via email or via phone number provided with a change request; these communication methods may be intercepted as a component of a phishing campaign.
TRAIN:
- Offer regular guidance and training to employees around the detection of phishing and other social engineering scams.
- Consider tailored training according to employees’ roles.
- Focus training on preventing hurried responses and overcoming emotional/impulsive reactions.
- Ensure procedures are performed consistently across the business.
This article originally appeared in the May/June 2023 issue of Industrial Supply magazine. Copyright 2023, Direct Business Media.