Latest White PaperThird-Party Governance & Oversight 2019 Survey Results
Latest White PaperThird-Party Governance & Oversight 2019 Survey Results
Cyber-criminals are seeking out new prey. Industries that previously had a lower threat profile – such as oil-and-gas, manufacturing, and shipping – are now falling victim to cyber-attacks at an increasing rate. In some cases, the cyber criminals are using the supply chains of companies in these industries as entry points for the attacks. In other cases, the criminals target these companies directly. In either case, the organizations these companies are third parties to – their clients – are often impacted.
As a result of this new trend, governments are stepping up with new efforts – laws, regulations, and guidance – to help create national supplier ecosystems that are more resilient to cyberattack. Industries are also creating their own working groups and other types of infrastructure to help increase communication about cyber risk – to share experiences as well as information on prevention and resilience. The evolution of cybercrime is rapid – governments, industries and individual companies are working hard to stay ahead of the threat.
Expanding their horizons
While most industries have had some level of cyber-criminal activity over the past decade – no one is really immune – some industries have seen an uptick in both frequency and severity over the past 12 months. Impacts have included disruption of operations and theft of proprietary information. Industries are finding themselves under increasing threat include:
Most industry experts believe that these attacks are just the tip of the proverbial iceberg – that cyber-criminals will continue to expand the range of firms types they attack, as well as further develop their arsenal of cyber weaponry. Supply chains are now considered to be on the front lines of this cyber-warfare – disrupting a single organization may only be a means to an end, with the end being the disruption of all of that company’s client operations.
US government takes action
Governments are boosting their efforts to protect both their economies and their citizens from this escalating cyber-warfare. This is taking a variety of forms, including the protection of the government’s own supply chain; reaching out to industries that are seeing growing levels of cyberattacks with regulations as well as information; and emphasizing the importance of supply chain protection for all businesses.
In the United States, several initiatives are underway to help protect the government’s own supply chain – and particularly those of civilian agencies. For example, two senators introduced a bill in June 2018 that focuses on improving the resilience of civilian agencies, alongside other US government supply chain cyber issues. The Federal Acquisition Supply Chain Security Act (FASCSA) would enable the creation of a Federal government-wide approach to supply chain security risk for IT products and services. For example, it would enable US civilian Federal agencies to work with each other, as well as defence and intelligence agencies, to mitigate IT security issues.
The US Federal government is also looking to enhance its support for businesses across the country that face cyber risks. For example, the US Congress is working on the Small Business Advanced Cybersecurity Enhancements Act. Hearings were held in February on this bill, which amends the Small Business Act. It directs the Small Business Administration, jointly with the Department of Commerce, to create a central small business cybersecurity assistance unit, as well as satellite units in small business development centres. The goal is to help smaller businesses – are often in the supply chains of larger companies – better manage their cyber risk.
In July 2018, the Department of Homeland Security announced the formation of a new National Risk Management Center, to specifically engage in cyber risk and to work more closely with the private sector. Other US legislation is in the works, which if passed would give the Department of Homeland Security the ability to bar suppliers which would pose a cyber threat to the civilian government supply chains. Chinese and Russian companies are thought to be of particular focus here.
UK provides targeted programs
In the UK, the National Cyber Security Centre (NCSC) launched its first set of cybersecurity advice to law firms, and a new legal threat report, in July. The threat report indicated that £11 million of client money was stolen over the past 12 months via cybercrime, and that 60% of law firms reported suffering from an information security incident in the past year. The report points out that law firms are an attractive target for cyberattacks because they have “sensitive client information, handle significant funds and are a key enabler in commercial and business transactions.” Earlier in the year, the NCSC published guidance for protecting the supply chain within companies. A report on cyber security in the UK, published to coincide with a conference sponsored by the NCSC in April 2018, also discusses significant supply chain incidents that happened between October 2016 and December 2017.
Industry collaboration increases resiliency
While governments seek to deliver improvements on cybersecurity resilience across their economies, individual industries are also taking action at a more grassroots level. Many of the new targets of cyber criminals are industries that are as highly regulated as financial services, health care, and utilities – early cyber targets – are. For governments, it’s easier to step in and increase cyber resilience in highly regulated industries because there is a structure already in place through which it can deliver new cyber resilience rules. For less regulated or unregulated industries, governments can struggle to communicate and to provide assistance to firms.
As a result, industry organizations and associations are beginning to play a key role in the fight against cybercrime. For example, in April the American Trucking Associations launched FleetCyWatch to help members exchange information about cyberattacks and threats. The shipping industry has also put in place a range of guidance and rules around cybersecurity, although some don’t come into force until as late as 2021. Various efforts are afoot in both the manufacturing and oil and gas industries, too.
All of these programs to combat cyberattacks and improve resiliency are important. However, companies should not wait for outside instruction – or worse, a cyberattack. They should be prepared – by understanding the cyber risks within their own supplier network, as well as the risks that the effects of a cyberattack could create for their clients. Key steps include:
In short, the cybersecurity environment continues to rapidly evolve. A broad range of industries are now under attack – sometimes through their own third parties. In other cases, the attack impacts a company’s own clients, leading to significant reputational and financial damage.
Organizations today – no matter what industry they are in – need to be cyber-aware, and take the appropriate actions to build resilience for when an attack or breach takes place.