New Articles

C-TPAT DRIVES SUPPLY CHAIN SECURITY AND TRADE COMPLIANCE

C-TPAT

C-TPAT DRIVES SUPPLY CHAIN SECURITY AND TRADE COMPLIANCE

In today’s ever-chaining business environment, organizations are faced with ongoing security challenges. It’s crucial for shippers to understand any potential risks to their supply chains and establish security plans to avoid disruption. One significant way for shippers to proactively protect their operations is by becoming a member of the Customs-Trade Partnership Against Terrorism (C-TPAT) program.

Established in 2001, as a direct result of the September 11 terror attacks, the C-TPAT program is part of the U.S. Customs and Border Protection’s (CBP) multi-layered cargo enforcement strategy. Through this voluntary program, the CBP works with the importers, shippers, carriers, brokers and logistics providers to implement best practices for ensuring a safe, secure and expeditious supply chain. Today, there are more than 11,400 certified C-TPAT partners in the program, and these companies account for more than 52 percent of the products imported into the U.S.

C-TPAT Member Benefits

In addition to promoting supply chain security, participating in the C-TPAT program can yield significant benefits for shippers and transportation providers, including:

Fewer customs inspections – C-TPAT certification offers companies the opportunity to decrease customs inspections and documentation reviews. According to the CBP, C-TPAT members are 3.5 times less likely to incur a security or compliance examination. 

Faster border crossings – Members have access to special Free and Secure Trade (FAST) lanes at border crossings, and can move to the front of the line during inspections. This can significantly expedite border crossings at many Canada/Mexico land border ports.

Quick response time – Following a national emergency, companies participating in the C-TPAT program are eligible to resume business first. 

Enhanced reputation – Participating in a national security program reflects a company’s ongoing commitment to safety. Some companies will only do business with importers that are C-TPAT certified–giving members a competitive edge. 

Cost avoidance – By decreasing potential supply chain disruptions, C-TPAT members can avoid costs associated with delayed shipments. Additionally, organizations penalized in any way is eligible to receive up to a 50 percent reduction on the imposed fine. 

Joining C-TPAT

While almost every organization that is involved in the import and export business can enroll in the C-TPAT program, eligibility requirements vary by business type. But to achieve certification, all companies are required to:

-Conduct a risk assessment

-Implement a supply chain security management system that complies with C-TPAT requirements

-Submit a detailed application

 -Meet with CBP representatives to verify security measures

In addition to obtaining their own certification, organizations can support the C-TPAT program by working with third-party logistics (3PL) providers that are also C-TPAT certified. C-TPAT-certified 3PLs act as an additional layer of protection against supply chain attacks, because they operate as an extension of the company’s established security procedures, essentially building a stronger company brand. 

A 3PL with active participation in the Mexican and Canadian markets also brings a portfolio of carriers and companies that are approved by C-TPAT, or that comply with minimum requirements for C-TPAT partners, essentially giving shippers a competitive advantage. 

Addressing Evolving Supply Chain Risks


As supply chain risk continues to evolve, so too do the C-TPAT requirements. In May, the CBP announced that it has added Minimum-Security Criteria (MSC) requirements to the C-TPAT guidelines to help further mitigate risks. Some of the areas that were incorporated and updated in the program’s new criteria included:

-Issues related to cyber security

-Protection of the supply chain from agricultural contaminants and pests

-Prevention of money laundering and terrorism financing

-The proper use and management of security technology, such as intrusion alarms and security camera systems

-Members are expected to implement the new criteria throughout the remainder of 2019, and validation of the new MSC will begin in early 2020.

Support Supply Chain Safety

With security risks threatening supply chains around the globe, it is important for companies to support initiatives that aim to tackle and prevent supply chain risks. By obtaining C-the certification, businesses have the unique opportunity to take an active role in supporting national security while improving their own supply chain operations. 

While there are no costs associated with joining the C-TPAT program, companies often have to invest in improving their practices to meet the minimum-security requirements and effectively maintain a compliant program. However, this investment goes a long way in helping companies mitigate risk, avoid supply chain disruptions and drive greater efficiencies for cross-border transport.  

______________________________________________________________

Linda Bravo is the Corporate Customs Broker at Transplace, where Sergio Flores is the Safety and Security Coordinator. Transplace is a 3PL provider offering logistics technology and transportation management services to manufacturers, retailers, chemical and consumer packaged goods companies. Learn more at Transplace.com.

automotive

Automotive Industry Cyber Attacks: Trends and Threats to Watch Out For

A report released from Upstream Security estimates the automotive industry is at risk for losing $24 billion within five years all due to cyber hacks. The company specializes in cloud-based security and took reported cases at a granular level to understand cyber threats and trends to combat in 2019.

The findings were confirmed through a study conducted that analyzes over 170 cyber cases reported between 2010-2018. The study also revealed different ways hackers attack including physical and long-range and wireless strategies.

“With every new service or connected entity, a new attack vector is born” said Oded Yarkoni, Head of Marketing at Upstream Security. “These attacks can be triggered from anywhere placing both drivers and passengers at risk.

“Issues range from safety critical vehicle systems, to data center hacks on back-end servers, to identity theft in car sharing, and even privacy issues. The risk is immense. Just one cyber-hack can cost an automaker $1.1 billion, while we are seeing that the cost for the industry as a whole could reach $24 billion by 2023.”

Key highlights from the report include:

-Back-end application servers are directly involved in 42 percent of automotive cyber security incidents

-Tier 1 suppliers, fleet operation, telematic service providers car sharing companies and public/private transportation providers are experiencing increased threat rates for cyber security issues.

-Multi-layered security tactics such as in-vehicle, automotive cloud security and network security are recommended to reduce risk.

-Fraud and and data privacy are primarily impacted by the two new cyber attack methods.

To read the full report, visit Upstream Security.

Source: Upstream Security

Sepio Systems, Tech Data & SHI Partner for Cybersecurity

Hardware-based attacks are at the center of the tri-partnership recently announced between Sepio Systems, Tech Data, and SHI International Corp.

Tech Data channel partners and SHI customers benefit from the partnership as they are granted the option to bundle Sepio’s solutions addressing issues in cybersecurity. In addition to providing simplified deployment options for Sepio Prime/Sepio Agent security management offerings, specific network threats within uncontrolled peripheral devices and accessories are focal points customers and partners benefit from.

“As part of our continuous effort to ease our customer’s process of complying with the NIST standards and guidelines for securing Information Systems, we are excited to team with Tech Data and SHI,” said Yossi Appleboum, CEO of Sepio Systems Inc.

“Packing Sepio’s deep visibility capabilities into devices and hardware assets together with a granular policy enforcement tool greatly reduces the cyber risk organizations are facing. For the first time, Tech Data customers and partners can deploy a simple and robust software solution that addresses more than 15 controls from the NIST 800-53 Special Publication,” Appleboum concluded.

Sepio Systems currently identifies hidden hardware attacks related to rogue peripherals, invisible network devices, and manipulated firmware. The software-only based solution, Sepio Prime, currently boasts a presence in the U.S., Brazil, Singapore, and Israel.

How To Ditch The Techie Jargon And Improve Your Organization’s Cybersecurity

An office memo that tosses around terms like DRM, botnet, FTP, spear phishing and worm could be a quick, easy read for the head of the IT department.

But for everyone else in the organization it may or may not be one big mass of confusion.

And with that bewilderment comes potential danger, says J. Eduardo Campos, co-founder with his wife, Erica, of Embedded-Knowledge Inc. (www.embedded-knowledge.com) and co-author with her of From Problem Solving to Solution Design: Turning Ideas into Actions.

“There’s a serious gap in communication skills between cybersecurity pros and their general audiences, and it’s essential for the people on the IT side to bridge it,” Campos says. “Increasingly complex security threats demand that cybersecurity professionals use plain language when they are communicating with those less familiar with tech talk.”

Otherwise, he says, an organization could be vulnerable to hackers even if the staff had been warned about what to look for, simply because the employees didn’t understand the language behind the warning.

After all, cyber threats aren’t just a technology problem – they are a people problem, says Campos, who worked on cyber threats as a former employee of Microsoft.

“People are the weakest link in computer security and many companies don’t promote a company philosophy of ‘computer security is everybody’s business, ” he says.

Campos suggests a few ways to improve communication between those in charge of cybersecurity and everyone else in the organization:

Incorporate this need into the hiring process. When hiring new staff for your IT and cybersecurity team, look for experts who have not only tech skills, but also the skills necessary to comfortably interact socially and clearly communicate in lay terms with all the stakeholders in the organization.

Focus on training. Cybersecurity teams can be trained to become solution designers who can connect the dots, Campos says. They can then capture, clarify, and address all stakeholders’ concerns, helping them to determine and keep their goals aligned. Such cybersecurity pros enable success by listening to everyone involved before sharing their own viewpoints.

Realize this is an ongoing process. It’s important to ensure that the improved communication is sustained over the long haul, and people don’t revert to old ways down the road, Campos says. “You will want to monitor the situation so that you can quickly spot and head off any problems,” he says. “You can create a feedback loop so that the employees are encouraged to let you know how things are working.”

“Data breaches, data ransom plots, and email hacks intimidate us all,” Campos says. “Cybersecurity teams themselves feel hard-pressed enough to prepare themselves for the onslaught of these gremlins, let alone to accomplish the challenging task of communicating to stakeholders about how to mitigate and deal with cybersecurity risks.”

“But for organizations to keep their information and systems safe, that communication needs to be done, and in a way everyone can understand.”

About J. Eduardo Campos

J. Eduardo Campos is co-author with his wife, Erica, of From Problem Solving to Solution Design: Turning Ideas into Actions. Campos spent 13 years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at the highest levels of government in the U.S. and abroad.  His consulting firm, Embedded Knowledge Inc. (www.embedded-knowledge.com), works with organizations and entrepreneurs developing customized business strategies and forming partnerships focused on designing creative solutions to complex problems.

GlobeNet Steps Up Cyber Security with Anti-DDoS Gold Mitigation Service

Following successful implementation of the Silver Anti-DDoS Mitigation Service, GlobeNet announced the launch of the latest version of the offering. The Gold Anti-DDos Mitigation Service will formally address diverse and complex customer demands while combating the significant increase in DDoS attacks – reported to have increased 500 percent since 2017.

The upgraded cyber-security solution’s features include a wide range of capabilities that enable customers to operate with fewer limitations and proactive measures to ensure their success, security, and overall efficiency in protection.

Features such as unlimited clean bandwidth and mitigated attack volume, protection policy flexibility, dynamic detection and neutralization of attacks, early detection of malicious traffic, and more provide clients with the peace of mind knowing the overall risk of downtime is reduced. Ultimately, clients have more options to secure their networks based on their specific needs.

“GlobeNet’s Anti-DDoS Gold and Silver levels provide an effective solution to the growing scale of modern DDoS attacks,” said Eduardo Falzoni, CEO of GlobeNet.

“With this new service, our customers now have the enhanced flexibility to choose the option that will best suit their needs. Both services provide 24/7 network protection without the need for organizations to make costly capital investments in their own anti-DDoS solutions. As a result, we ensure peace of mind for our clients’ mission-critical infrastructure and traffic.”

The Best Weapon Against Cyber Threats Is Not Better Tech – It’s People

When a company’s computers are hacked, management’s first impulses often are to invest in better software, better virus protection packages, better computers or even entire networks.

But they may be putting the emphasis in the wrong place.

“The problem’s root cause is usually not the technology, but people,” says J. Eduardo Campos, co-founder with his wife, Erica, of Embedded-Knowledge Inc. (www.eecampos.com) and co-author with her of From Problem Solving to Solution Design: Turning Ideas into Actions.

Campos, who worked as Chief Information Security Officer (CISO) in large international corporations, says “organizations that take a simplistic approach, assuming “computer hacks are an IT department’s problem” are headed for trouble. “Cybersecurity is everyone’s job,” he cautions.

For lasting results, Campos harnesses the power of solution design techniques to develop cybersecurity systems and protocols, based on the I.D.E.A.S. framework, outlined in his book:

Identify: Get to the root cause of the problem. Step back, take a breath, and assess the situation, so that you will ensure you are treating not just the symptoms.

Design To avoid security breaches, take time to determine the options that can be used to address all the problems related to these issues.

Engage. Confirm that everybody who is impacted by a new cybersecurity program or effort is on board with the changes before they are implemented.

Act. Implement mandatory training for all employees to explain the common ways hackers enter the system, including how phishing works.

Sustain. Design metrics to keep cybersecurity policies in place and implement an easily accessible system for employees to identify and report incidents.

“The company that truly engages all of its employees, suppliers, vendors and other stakeholders to be knowledgeable and aware of basic cybersecurity protocols,” Campos says, “will have a much better chance of countering criminals.”

 

About J. Eduardo and Erica Campos

Eduardo Campos and Erica W. Campos are co-authors of From Problem Solving to Solution Design: Turning Ideas into Actions. They have a combined tenure of over fifty years solving complex problems for global organizations. J. Eduardo is an expert in strategic, human-centric solution design with a background in cybersecurity and business development. He has worked on four continents, tackling intercultural and multinational problems, and spent the last 13 years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at the highest levels of government in the U.S. and abroad. His consulting firm, Embedded-Knowledge Inc. (www.http://www.eecampos.com), works with organizations and entrepreneurs to develop customized business strategies and to form partnerships focused on designing creative solutions to complex problems.

 

5 Key Considerations for your Cyber Security Strategy

Cyber security. Not only do all organizations need it, but most organizations need to improve it. As hackers and all other manner of cyber criminals get increasingly crafty, the average cyber security team is struggling to keep pace. As it turns out, the road to hell is paved with well-intentioned but somewhat unfocused cyber security efforts.


Therefore, developing a cyber security strategy is a good foundational step for obtaining the level of cyber security necessary to protect your business, employees, customers and reputation. And taking attention of these five key considerations is a good foundational step for developing a cyber security strategy.

Set out clear objectives

All organizations need cyber security, but what works for one organization could be a disaster for another. This is not the place to attempt to implement a one size fits all approach. To begin to understand what your cyber security objectives should be, you need a solid understanding of the threat landscape as well as where your organization and critical business operations fit into it. Does your organization need to better protect customer data? Become fully compliant with new regulations? Incorporate a cyber security mindset across all aspects of business operations and functions? Become more resilient to attacks? Before a strategy can begin to take shape, you need to know what you’re working towards.

Identify your assets to establish cyber security priorities

The first part of this step is putting together a comprehensive list of the organization’s most important databases, networks, applications and any other assets. What are they? Where are they? What is currently protecting them? What are they connected to?

The second part of this step involves completing a nerve-wracking exercise, but it’s something that needs to be done over and over again if you’re going to have a solid cyber security strategy: assess your organization from the attacker point of view. Of all those assets in the list, what are most attractive to potential attackers? What could inflict the most damage to your organization if it were compromised? What would interrupt the largest number of business processes? Look at this from every possible angle, from the profit-driven hacker to the attackers hired by underhanded competitors to politically-motivated hacktivists – which of your assets are the biggest targets? These are your cyber security priorities.

Determine where you’re vulnerable

This is where you once again need to get proactive. Hacking simulation, penetration testing and other offensive-minded approaches are necessary to find your organization’s weak spots and vulnerabilities as well as figure out exactly how deep someone could get into your networks, systems and databases if they made it in. This serves to help you:
1) Shore up those vulnerabilities as much as possible and…
2) Put in place monitoring measures that help detect and respond to suspicious activity as quickly as possible – a managed security operation center (SOC) might be the best option for organizations that don’t have a robust in-house SOC. 

Make sure you have the right technology and personnel in place

As much as you might hope differently, it isn’t enough to simply invest in the best cyber security technology. Think of it like having an F-35 in your driveway. It’s a marvel of technology, but what good is it going to do if you don’t have a pilot to operate it? What your organization needs is a combination of the right technology, processes and the people who have the skills to orchestrate it.


To get the right cyber security team in place you need to consider your organization’s objectives as well as priorities and vulnerabilities. The team you need could include security engineers and architects, analysts, incident responders, ethical hackers, pen testers, forensic experts, auditors and a chief information security officer, to name a few possible positions, and all these employees need to be able to operate at a high enough level to deal with the threats your organization is facing. If it isn’t possible to staff an in-house team at the level your organization requires, it may once again be time to consider a managed cyber security solution.


Whether you’ve got an in-house team or a managed solution, you then need to ensure you’re working with the right vendors to arm your team with the technology they need to keep your assets protected, otherwise you’ll have the stealth fighter pilot but no F-35.

Assess the overall organization’s cybersecurity awareness

You can have the right cyber security people combined with the highest rated technology and the ideal offensive-minded approach to cyber security for a top-notch security operation center, but it won’t matter if your overall organization is not educated on cyber security threats.


From malware, spear phishing attacks to weak passwords and mishandled credentials, the current cyber security landscape is rife with attackers who know that organizational cyber security awareness and education is lacking and know exactly how to capitalize. From top to bottom, your employees need to be educated on the threats that exist, trained on what they must do to protect your organization, and the potential consequences to the organization if they don’t.


Getting ahead

No one said developing and following a cyber security strategy would be easy, but when done well, it’s one of the most worthwhile investments of time, effort and money an organization can and should make.
The threats aren’t going to let up and in fact will only grow in size, scale and sophistication. With a proactive cyber security strategy, you can stay one step ahead of even the most talented attackers, and one step ahead is the only place you want your organization to be.

Source: CyberHat

A 5-step guide to managing cyber threats in the supply chain

When Danish shipping giant A.P. Moller-Maersk was attacked by the NotPetya malware in 2017, access to its electronic booking systems was blocked and ultimately forced a 10-day overhaul of its entire IT infrastructure.

The malicious attack still remains one of the largest disruptions to affect the global shipping industry to date. As a result of lost bookings and terminal downtime, Maersk incurred a massive US$300 million (€264 million) loss.

With the increasing sophistication of cyber threats, companies worldwide have to brace themselves for a new reality where supply chain disruptions are no longer restricted to those of a physical form. Cyber-attacks have the potential to disrupt or, at its worst, cripple the logistics and supply chain operations of an entire business across different geographies.

Instead of adopting a reactive approach to cyber security, companies should actively prevent and manage such cyber risks by devising a response plan with the following five steps.

Identify third-party risks

To successfully thwart future cyber-attacks, companies have to first determine which vendors or third-party entities have access to their firewall and could have the largest impact to the organization in a worst-case scenario.

When selecting possible vendors to work with, it is best to consider the amount of sensitive data that the vendor is handling, such as personally identifiable data, protected health information or financial transactions. With this knowledge, suitable mitigation measures must then be introduced to safeguard the sensitive data.

Monitor the cyber threat environment

As cyber threats are continuously evolving and news reports of a cyber-incident become known, it is a continuous effort to assess and understand events impacting the vendors or third-party entities that your organization works with.

The ability to persistently monitor one’s supply chain and the cyber threat environment will be the best determinant in responding adequately to a cyber-incident.

For instance, a year on from the cyber-attack on Maersk, Chinese state-owned shipping conglomerate COSCO Group managed to contain the damage and limit the length of disruption when its shipping operations in the Americas suffered a ransomware attack.
Though its shipping operations in the Americas came to a momentary standstill, the company’s swift response efforts and preemptive network segmentation prevented the escalation of the attack, allowing regular operations to resume within a week without significant damage.

Assess potential impact

Organizations should possess the capability to gauge the extent of the potential impact a cyber-attack can have on its business operations.

Knowing the nature of each cyber-attack can better equip companies by facilitating understanding, communication and coordination along its supply chain.

Types of cyber attacks

·Data breach: Release of secure information to an untrusted environment, including trade data, schematics, manufacturing systems, shipping data, and other confidential company information
·Ransomware: A form of malware which encrypts a user or end system, rendering all data within inaccessible, and demanding the payment of ransom to decrypt
·Denial of service: A cyber-attack performed by many actors to render a firm’s website or system unavailable to users
·Vulnerability: The discovery of a weakness, known or unknown, which may be exploited by a threat actor to perform unauthorized actions on a system
·Phishing: A fraudulent attempt to obtain security credentials from entry to executive levels for malicious purposes

Conducting a risk assessment on the areas of vulnerability from multiple angles will help companies measure the potential risk and threat of a sudden attack on its supply chain.

Develop risk scenarios and emergency protocols

Without emergency protocols established or adhered to in the event of a cyber-attack, it will likely cause confusion that leads to disruption in the supply chain. Companies need to train its employees on potential threat scenarios and develop corresponding response plans to tackle different situations.

Often, these response processes might involve the use of advanced technology and human intelligence analysis. Having established the protocols and trained employees on their respective emergency response roles, the company will then be well-prepared to implement the appropriate measures to mitigate the potential damage inflicted by a cyber-attack.

Communicate relevant actions to stakeholders

When a threat has been identified, it is imperative to investigate the matter internally and cascade information in a timely manner within the organization before alerting the relevant authorities. Once more details emerge and the nature of the threat is confirmed, organizations should pro-actively inform all stakeholders who have been affected, while activating the emergency response teams to rectify the issue.

With the threat of cyber-attacks looming large, companies need to take control and ready themselves with a proper response plan and top-notch cyber security practices to protect their supply chain.

Shehrina spearheads the supply chain risk monitoring capabilities for Resilience360. Resilience360 offers end-to-end supply chain risk management, alerting customers about supply chain incidents globally and risks to their global supply chain in almost real time. The platform helps companies handle an ever-changing world by assessing the impact of natural disasters, changing regulatory environments, and other supply chain risks. With Resilience360, businesses can visualize their supply chains end-to-end, use machine learning capabilities to detect early warnings of incidents that can disrupt their supply chain and it will allow customers to preemptively respond and minimize business interruption.

This article was originally published on DHL’s Logistics of Things. Read more on how logistics impacts business, builds lasting connections and drives innovation.

US Retailers “Overconfident” on Cyber Security Issues

Portland, OR – US retail firms are confident in their ability to quickly detect data breaches, despite industry research to the contrary, according to a recent survey conducted by Dimensional Research and Oregon-based security management firm Tripwire.

When asked how quickly their organizations would detect a breach, 42 percent said it would take 48 hours, 18 percent said it would take 72 hours, and 11 percent said it would take a week, the survey said.

While 35 percent of respondents were “very confident” and 47 percent were “somewhat confident” that their security controls could detect rogue applications, most breaches go undiscovered for weeks, months or even longer, the research found.

The 2014 Trustwave Global Security Report reveals that the retail sector is the top target for cyber criminals, comprising 35 percent of the attacks studied with an average 229 days taken to detect a security breach.

The report also states that the number of firms that detected their own breaches dropped from 37 percent in 2012 to 33 percent in 2013. Some 85 percent of point-of-sale intrusions took weeks to discover, and 43 percent of web application attacks took months to detect.

The survey evaluated the attitudes of 154 retail organizations on a variety of cyber security topics.

“I always say that trust is not a control, and hope is not a strategy,” said Dwayne Melancon, chief technology officer for Tripwire. “Unfortunately, this data suggests that a lot of retailers are far too hopeful about their own cyber security capabilities.

Despite “ample historical evidence that most breaches go undiscovered for months,” he said, “There is clearly a significant disconnect between perception and reality, even though the repercussions for failing to meet the required level of rigor around cyber security has led to the recent removal of retail executives and board members.”

The survey also found that 70 percent of respondents said that the recent, nationally-reported Target security breach has affected the level of attention executives give to security in their organizations and that 26 percent of respondents don’t evaluate the security of business partners, such as HVAC contractors who were implicated in the Target breach.

07/03/2014