Rise of cybercrimes in the logistics supply chain

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

“Never assume that third parties are trustworthy or unable to access your sensitive data.” - Mark Brown, Global Managing Director, BSI Digital Trust Consulting Services

August 10, 2023 - Supply chains are evolving and becoming more complex, and alongside this comes more sophisticated cyberattacks. As highly profitable, critical parts of the economy, transport and logistics organizations are a tempting target for cyber criminals. It’s imperative that organizations prioritise the correct digital tools and security measures in their business strategies to combat growing threats to their supply chain and build resilience.

Defending against threats

Some of the major cyber risks affecting the logistics sector include ransomware, phishing, and sensor and industrial technology intercepts. Cyberattacks can have catastrophic effects on an organization, making the placement of protocols necessary in mitigating attacks. These include:

  • Educating employees: It is essential for employees to learn how to identify specific threats, such as phishing emails, and then flag them to the appropriate person. Employees are usually the first target when cyber attackers are trying to infiltrate a company’s network; therefore, they can serve as the first line of defense against a potential attack.
  • Regularly updating devices and software: This ensures that devices and applications are not only better protected from attacks but are operating efficiently. Operating from an outdated device and/or software application creates vulnerabilities and loopholes for potential threats to slip through and potentially compromise an entire network system.
  • Creating a remediation process: Even the best-prepared organizations with the most robust training programs can experience a cybersecurity breach. For this reason, organizations need to draw up a plan or remediation process for how they should respond if a breach occurs or if they detect a weakness or flaw in their information system architecture. Additionally, organizations should periodically reflect on where and how they need to improve their cybersecurity measures.

Addressing third-party supplier risks

Organizations might unknowingly share data or sensitive information with third parties. Therefore, it is crucial that any potential and current partners provide an attestation that they have undergone an appropriate penetration test and review. Organizations can evaluate third-party risks by:

  • Identifying who your suppliers are: It’s important to review the context of other relationships in the supply chain and their potential impact on your organization.
  • Evaluating a potential supplier’s cybersecurity risk level: This evaluation needs to be part of the due-diligence process that takes place during any third-party selection.
  • Deciding the best means of communication: Having a simple way to communicate with your supplier (and vice versa) is critical if an incident happens.
  • Identifying who is managing third-party suppliers and supply chains: Stakeholders dealing with suppliers play a key role in mitigating cyber risks. They need to be up to date on possible threats, understand how strong a supplier’s cybersecurity program is, and know whether their supplier is subcontracting with other service providers and what level of cyber risk those downstream suppliers hold.
  • Being transparent with suppliers about your cybersecurity program: This transparency should include educating employees about the purpose of your program and updating them on the goals and risks managed.
  • Carrying out an external cybersecurity “posture scan” of your suppliers: Tools exist that allow you to operate like a hacker and probe suppliers’ systems to see how secure they are. These posture scans or probes help determine whether your third-party suppliers are following security protocols.

It’s clear that organizations can no longer simply focus on the technological aspects of cybersecurity by only assessing potential vulnerabilities in IT systems; they must also take steps to address them through best-practice security and access controls.

This article was originally published in CSCMP’s Supply Chain [Quarterly] on October 13th, 2022 under the title: The rising risk of cybercrime in the supply chain. The content has been modified and condensed for this blog. Refer to the full article for Mark Brown’s complete insights on this topic. For more on Digital Trust and Environmental, Health, and Safety topics that should be at the top of your organization’s list, visit BSI’s Experts Corner.