Now that large companies have greater awareness of security, hackers are increasingly targeting contractors to achieve their goals. This “weakest link” strategy requires greater collaboration throughout the logistics chain. We explain.
The logistics chain: a priority target for hackers
The largest companies are tending to reach a certain digital maturity regarding cyber threats, between greater protections and generally greater awareness. They seem to be completely prepared, but this completely hides these giants’ Achilles tendon: their suppliers and service providers.
Supplier components, their assembly into production lines, storing finished products or moving them into distribution networks are all vulnerable stages that are opportunities for malicious contamination. Who would suspect a parcel delivered by their usual delivery person? Similarly, who would suspect software provided by their traditional service provider? Instead of attacking large companies head on, hackers are now targeting this other, more vulnerable stakeholder who can open the door to large companies’ computer network and devices. As they are generally smaller in size, the issue of cybersecurity and digital hygiene is unfortunately not a priority for them, making them a perfect target for cyberattacks.
In 2013, American distributor Target was attacked via a sub-contractor in charge of...air conditioning. In the end, several million pieces of confidential data were stolen. Last year, 50,000 students, parents and teachers in an American school also saw their personal data leaked because of a contractor.
Cyber-risks from subcontracting are nearer than we think... “What about companies where computers come back from repair and are directly handed back to employees without checking if malware was installed during repair or transport?”, says Florian Bonnet, Stormshield’s Director of Product Management.
And there can be many objectives at each link in the logistics chain: gather secrets in manufacturing and intellectual property, steal client and partner data, or simply seize up the manufacturing chain. Late fees, loss of turnover, and a tarnished reputation can be expected. A 2018 study by the Vanson Bourne Institute showed that the pharmaceutical, biotechnological, hotel, media, entertainment and IT service sectors are the most targeted. Software publishers may also be concerned, as their applications seen as reliable can reach many companies unhindered, as evidenced by the Ukrainian financial software MEDoc, the starting point of NotPetya in 2017.
The temptation to underestimate risk
For hackers, even the smallest businesses – whose activity may not seem like a major prize at first glance – can be a choice target. Nevertheless, “most small businesses do not feel like this concerns them”, notes Stéphane Prévost, Product Marketing Manager at Stormshield. “Since they don’t have a war chest or sensitive information in their networks, they don’t always put in place the appropriate measures. It’s like with insurance: pointless until the day we need them”.
All connected, all involved, all responsibleANSSI’s slogan in 2019
This attitude leads to a sort of taboo when an incident occurs. In this way, ANSSI’s message for 2019 – “All connected, all involved, all responsible” – is meaningful. “Now that systems are all connected to the Internet and, therefore, with each other, we must involve everyone in thinking about cybersecurity. Teams must communicate with each other to ensure global security”, says Alain Dupont, Stormshield’s General Manager and Customer Service Director.
Only one solution: work together
Current protection techniques, such as detecting incidents through abnormal behaviour or simulations of attack, no longer seem to be sufficient for companies’ new scope. The reach of these tools is limited if they are only considered for the scope of the organisation itself without a connection to its ecosystem. “A chain’s level of security is that of its weakest link”, Florian Bonnet reminds us. Thus, for each company, the challenge is to raise awareness among its contractors as it does for its teams.
A chain’s level of security is that of its weakest linkFlorian Bonnet, Stormshield’s Product Management Director
With the possibility of a better, more secure sharing of information between subcontractors and purchasers, the latter are in a position to play a decisive role. “For example, during calls for bids, by making sure that subcontractors fulfil certain cybersecurity criteria”, says Alain Dupont. This change is vital since, in the current model of massive outsourcing through alliances, the only companies that will survive are those able to guarantee the integrity of all their processes and data, including those that they do not control directly.
This ambition requires us to rigorously select our partners, to continue automating all flows, and above all to instil a spirit of cooperation from one end of the chain to the other. And what about you: are you ready?