If I told you that there was an upcoming event that would cause your business about 21 days of downtime, 287 days to fully recover, and cost you an average of $312,493 payment, you would want to do everything in your power to prevent it.
On the other hand, ransomware attacks have been going on for a while, especially targeting hospitals and schools, and they have been largely ignored. Colonial Pipeline’s recent payment of $4.4 million symbolizes the intensification of these attacks during the coronavirus era. A report by Group-IB finding that attacks increased 150% in 2020, although this moment was a long time coming.
Ransomware attacks naturally gravitate toward the weakest security, and the connections between firms provide both lucrative pools of resources while being the greatest cybersecurity risk. Compounding the inherent weaknesses of systems spanning organizational boundaries is the fact that many supply chain systems are out of date.
In addition to the Colonial Pipeline, other recent supply chain-related ransomware attacks have struck the following in 2020 or 2021:
• JBS, a global meat supplier with operations in the United States
• Steamship Authority, a Massachusetts ferry operator
• A subsidiary of Toshiba
In case you’re thinking that you’re insured, ransomware attackers purposefully target insured companies. This led US insurer CNA and French insurer AXA earlier this year to no longer offer cyber-insurance policies for extortion payouts, a move likely to be followed by other insurance companies. Both insurers subsequently suffered ransomware attacks.
Largely ignored by most Americans up to this point, the White House has initiated an effort to spotlight the increasing ransomware threat. The National Security Council’s top cyber-official released a warning via the White House to corporate America to step up cyber-security, calling for business leaders to take immediate steps—most of our economy is in the hands of private entities, whether delivering bread to the supermarket or responding with vaccines for a pandemic.
Worryingly, state sponsored actors are increasing involvement in ransomware attacks. These are sophisticated attacks by organized and extensive networks, and they ask for millions of dollars when they strike. In addition to manufacturers and companies with extensive supply chains, they’ve also struck cities, schools, hospitals (even at the height of the pandemic), and even the US military.
According to the Ransomware Task Force, this isn’t a problem that can be fixed by an individual company nor likely even by a coordinated private effort. It also requires coordination and cooperation by government entities at an international level.
Infrastructure and cybersecurity are not the same thing, but they are intertwined. In a fundamental sense, if you improve resilience for one, you likely have also improved resilience for the other. This is becoming more and more true as technology drives a merging of information and physical goods. For example, delivery trucks, aircraft, and warehouses are physical infrastructure that becomes much less useful, or even ceases to function, if the information that connects them becomes unavailable.
My last blog proposed blockchain as one possible approach. This prompted some discussion in LinkedIn comments. It’s true that blockchain isn’t a cure-all, and it has its challenges. On the other hand, the capabilities it introduces in terms of greatly improved security, transparency, and empowering of capabilities such as smart contracting mean that either blockchain or some technology with similar capabilities will eventually develop as part of the next evolution of supply chains.
It’s long past time that we stop relegating cyber-security to the IT shop. We wouldn’t leave valuable inventory in an unlocked warehouse—yet many companies’ information is far more valuable than any inventory and harder to replace, and they invest in security not much better than tying a string tied around a doorknob.
Where to start? Just as good supply chain integration starts by integrating internally to the company, good supply chain cyber-security starts internally. Until you have your personnel and systems in order, you can’t be a secure partner in your supply chain. People are usually the biggest vulnerability, so be sure to include training in your cyber-security initiatives.
It’s time to develop a technology strategy that includes cyber-security and maps what information your company needs, including prioritizing which knowledge most impacts operations. We aren’t going to make product move physically much faster—forklifts, trucks, ships, and planes wouldn’t provide much benefit even if they were twice as fast. The next evolution of supply chains requires improving efficiencies between organizations, and that requires addressing cyber-security.
The White House’s May 12 “Executive Order on Improving the Nation’s Cybersecurity” calls for a partnership between the private sector and the Federal Government. That executive order is a good place to start.
About the Author
Michael Gravier is a Professor of Marketing and Supply Chain Management at Bryant University with a focus on logistics, supply chain management and strategy and international trade. Follow Bryant University on Facebook and Twitter.