In today’s connected digital world, where the relevance of digitization and technology to create business efficiencies is paramount, the logistics component of the physical supply chain has not been immune to these advances. Indeed, the impact of technology is such that it has fundamentally challenged many traditional norms in the logistic supply chain operating model through the creation of cyber-physical risks.
Such is the scale and pace of change within the sector it will be surprising to many that a recent survey identified the transport and logistics sector ranks in second place in a list of industries most affected by cyber-crime worldwide. However, when examining how the industry has changed in recent years, the reasons why it is now a tempting target for cybercriminals become clear.
Transport and Logistics Industry Under Attack
As one of the most profitable industries worldwide and as an important part of the economy, companies in the logistics industry have been increasingly targeted by cyberattacks organized by sophisticated cyber-crime groups. The logistics and transport sector, although a very hands-on sector, relies on a significant volume of data processing and information sharing.
Technology advancements mean that the previously manual completion of forms has become digital and consequently fleet operators are now sharing more data with partners and vendors than ever before. This alone presents an opportunity for cybercriminals, while the disparate network of parties involved in the cargo supply chain provides an even greater opportunity to identify and exploit weak links in cybersecurity.
Given the rapidly evolving nature and the deep sophistication of cyberattacks today, it is vital that transport and logistics firms stay up to date on the cyber threat landscape, to better understand and help defend against a wide range of existing and emerging cyber risks. Doing so, however, will require a change in the cadence of action by the sector in a battle between physical and digital operating models. Some of the major cyber risks the transport and logistics has faced and is facing today includes ransomware, phishing emails, and industrial technology intercepts.
Addressing Third-Party Supplier Risks
Outsourcing to third-party suppliers to support supply chain IT systems and business processes means that the risks naturally expand to include that of the suppliers. It is essential that due diligence takes place in any third-party selection process and that there is an extensive third-party and supply chain cybersecurity program in place.
Accountability and responsibility for the outsourcing of data management cannot reside solely with the supplier it must be covered and managed by both parties.
The risks for acquiring services vary from onsite physical and remote access to information and information systems to offsite information processing, equipment and applications. It can include lack of information security controls, inadequate governance, risk tolerance and compliance practice issues, or overreliance on supplier services and capabilities.
Third-Party and Supply Chain Programs
Advancing third-party and supplier cybersecurity programs is paramount. The process needs to include internal controls, remediation process for any cybersecurity risks, creation of KPIs to manage effectiveness and for it to be set up to identify where improvements can be achieved on an ongoing basis. Taking a proactive approach across all the organization’s third-party suppliers, including building a good open relationship with them to ensure communications are received in the right way, will strengthen information resilience. Organizations looking to review their current processes and programs should consider addressing the following:
- Review and identify the organizations stakeholders that are managing third-party suppliers and supply chains.
- Make visibility and transparency a key focus, engaging with suppliers to educate them on the purpose of your program and updating them as relevant on the purpose and risks being managed.
- Define the supplier’s cybersecurity risk tiers and their degree of care at each level.
- Review the context of the supply chain relationship and its impact on your organization.
- Carry out an external cybersecurity posture scan with policy-based questionnaire responses. Ensure that it is monitored regularly and set realistic deadlines.
- Implement a simple method of communication that works for both parties across the various channels.
The transport and logistics industry is a vital part of the economy and that has been proven during the past two years. The scale of the cyber threat facing the industry means that taking steps to defend IT systems against cyber-attacks is crucially important. Cybercriminals are becoming craftier as they create more sophisticated ways to infiltrate networks and steal data for financial gain. Therefore, organizations cannot simply focus on the technological aspects of cybersecurity by assessing potential vulnerabilities in IT systems however, they must take steps to address them through best practice security and access controls. The impacts on business processes, products, employees, and customers alike must be understood to preserve the value chain and keep the global supply chain moving and enable a position of cyber-resilience.