Improvements in efficiency, real-time visibility and connectivity with suppliers and customers 24/7 are among the benefits touted for digitizing the supply chain. It makes complete sense and thanks to a variety of technology tools and startups often described as logistics disruptors, digitizing business processes is happening at a quicker pace.
With this rapid pace, risks are also picking up at an even faster rate, most notably, cyberattacks. According to Identity Theft Resource Center, U.S. companies and government agencies noted 1,093 data breaches in 2016, up 40% from 2015. It’s impossible to capture the total number of attacks as the company indicates that many more data breaches aren’t included in these numbers.
Cybersecurity Ventures expects global annual cybercrime costs to grow from $3 trillion in 2015 to $6 trillion annually by 2021, which includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
So we polled our social media community and asked “Can cybersecurity threats be prevented?” Although we only received 12 responses, we were surprised that 58% said yes while 25% said no and 17% were unsure.
The survey was conducted after the NotPetya attack in which a number of companies including Maersk and FedEx’s TNT were hit. Data security expert and Director of Cog Security Ltd., Damian O’Hara explains, “The Petya malware that attacked Ukrainian companies via their accounting software (M.E.Doc) that is required for businesses to submit tax returns, has moved to a more violent strain. It appears to masquerade as Petya but instead of encrypting files it corrupts or overwrites them. It spreads on a network by using Windows File sharing and remote execution tools – copying the malware to the next machine using an open admin share then using remote execution to run it remotely. It also uses the recently released EternalBlue and EternalRomance malware created by the US NSA and released by the Shadowbrokers group earlier this year to propagate itself. That exploit path was blocked by Microsoft back in March 2017 when they released MS17-010 but not enough organizations have applied that patch”.
Indeed, Van Trooijen, Maersk’s Asia Pacific chief executive commented, “There was nothing in terms of patches that we missed, there was no cyber security measures that we didn’t take, so we were already in quite a strong position.” Still, the company was forced to suspend its main platforms for taking orders for six days and some functions, including a tracking service that allows businesses to monitor their shipping consignments, were slower to come back online. As a result of the hit, Maersk was forced to reroute ships to alternative destinations and was unable to dock and unload containers at some of its 76 ports.
FedEx’s TNT Express operations were affected worldwide. Reports of packages piling up in UK depots has been reported by The Guardian. A tweet dated July 31st noted that TNT Express International services were back up but at what level is still unknown. There are also rumors of business systems ‘destroyed’. FedEx has worked to clear backlogs of parcels by transporting them via FedEx Express and other means via FedEx Trade Networks subsidiary.
Both Maersk and FedEx expect financial impacts from this attack but are still calculating the damage.
According to David Shipley, CEO of Beauceron Security, no organization is going to be 100% secure. Instead, organizations need to reduce the risk to a manageable level. In order to do this David recommends the following:
- Cybersecurity is not just a tech problem. It needs to be part of the company’s DNA
- 90% of attacks begins with humans. Train and get employees to spot phishing and other email threats
- Get management truly engaged
- Patch systems regularly
For the transportation industry, lack of resiliency is an issue. David commented, “I have deep concerns about the resilience of the incredibly complex supply chains we’ve built that depend on on-time deliveries that in turn depend on IT systems that are absolutely not resilient.”
David concluded, “It happened to Maersk, it will happen to your shipping firm someday. Companies can’t change that they’re going to be the target, but they can change how much they will be hit by an attack and how long they will take to recover and how much loss they will suffer. That’s the difference between trying to be “cyber secure” and managing cyber risk”.
Anything and everything can be hacked. As business digitize, embrace cybersecurity and incorporate it into the company’s culture. Mitigate the risk beforehand.