Trending Now

GT Podcast – Episode 129 – The Port Authority of NY…

New Articles

Improving Security Along Your Supply Chain: 7 Pointers

supply chain security ctpat
Archives, Global Trade Daily, Special Reports

Improving Security Along Your Supply Chain: 7 Pointers

Leave a comment

Disruptions in the supply chain can ripple throughout entire industries. As the world becomes more interconnected, these threats become increasingly worrisome, with widespread issues throughout the COVID-19 pandemic highlighting their severity.

Supply chain attacks rose by 42% in Q1 2021 in the U.S. alone, impacting 7 million people. In light of these rising threats, supply chain security is more important than ever. Here are seven pointers for improving safety.

1. Restrict Access Privileges

One of the primary drivers behind rising supply chain attacks is these networks’ wealth of valuable data. Logistics organizations have gone digital and now generate and store vast amounts of information that cybercriminals can steal or hold for ransom. Restricting access privileges can help mitigate these threats.

The more people have access to a system or database, the more potential entry points there are for cybercriminals. Supply chains can eliminate these vulnerabilities by restricting who can see or interact with which systems. A good practice to follow is the least privilege principle: Only those who absolutely need given data to perform their duties can access it.

Tighter access privileges should pair with thorough authentication measures. Users must verify their identity through multifactor authentication (MFA) before accessing anything they’re authorized to.

2. Verify Third Parties’ Security

Third-party actors are another common vulnerability among supply chains. As an example of how pressing this issue is, the now-infamous SolarWinds hack, the biggest cyberattack of 2020, came from a third party. Hackers gained access to thousands of businesses and agencies by infiltrating SolarWinds, a third-party service they all used.

Supply chains must verify the security of any third party before doing business with them. That can mean asking for proof of security measures, only partnering with certified organizations or auditing third parties’ security through independent specialists.

Organizations should also apply the principle of least privilege here. Third parties should only have access to the systems and data they need and nothing more. That way, a breach on their end will cause minimal damage.

3. Secure All IoT Devices

Many have unknowingly created new vulnerabilities as supply chains have embraced new technologies. The widespread use of Internet of Things (IoT) devices to track inventories and shipments can put supply chains at risk. While these gadgets are extraordinarily helpful, they’re notoriously risky if companies don’t secure them properly.

A seemingly innocuous IoT device can act as a gateway to more sensitive systems and data on the same network. Thankfully, the steps to mitigate this threat are relatively straightforward. First, supply chains should host IoT devices on separate networks from other systems so hackers can’t access more sensitive data through them.

Next, supply chains must encrypt all IoT communications to secure their data transmissions. Encryption is often disabled by default, so this step is easy to overlook. Enabling automatic updates will help keep these devices secure, too.

4. Equip Workers Appropriately

While cyber threats may be the most pressing aspect of supply chain security, organizations shouldn’t neglect physical security, either. Piracy, physical theft and similar crimes are still relevant dangers. Supply chains can protect against these by hiring security staff and equipping them appropriately.

New padding technologies can consist of 0.01% solid material but still provide sufficient protection. Equipment like that will help security workers stay safe while not restricting their comfort or range of motion. Other tools like metal detectors, flashlights and ID scanners can further provide these employees with the utmost protection.

Equipping drivers and other supply chain workers with emergency resources is crucial, too. Radios, medical kits, rations and similar supplies should be standard in trucks, ships and other vehicles.

5. Improve Supply Chain Transparency

Supply chains can improve physical and digital security by increasing transparency. The more an organization can see about its operations, the faster it can respond to any incoming threats.

IoT security systems can let workers monitor cameras from their phones, giving quick access to security information. Similarly, organizations can employ smart sensors to monitor for break-ins, fires, leaks and other threats to alert employees when a situation arises. When companies learn of these risks faster, they can respond more effectively.

Similarly, network monitoring tools can give IT teams insight into potential data breaches. Artificial intelligence (AI) systems can continuously monitor for suspicious activity, alerting workers when there’s a possible cybercrime attempt.

6. Train Employees in Security Best Practices

No matter what other security steps an organization takes, employees must be taught about them. All it takes is one misstep from a worker to jeopardize a supply chain’s security, regardless of how strong its other defenses are. For this reason, as many as 85% of data breaches result from human error.

Every employee should receive security training covering relevant risks, best practices and emergency procedures. It’s important to stress why these methods are important so workers understand the gravity of their actions in some situations.

In addition to initial security training sessions, supply chain organizations should host regular refresher training. That way, proper procedures will remain fresh in employees’ minds, preventing mistakes related to them forgetting best practices.

7. Create an Incident Response Plan

Supply chains must understand that no defense system is perfect. Disruptions in this industry are too risky, and it’s likely they will someday experience an emergency. They should create a formal incident response plan to enable quick, effective action should an unexpected event occur.

More than half of all companies have experienced downtime that’s lasted eight hours or more in the past five years. Supply chains can prevent this through a disaster recovery plan. What this looks like will vary among organizations, but it should include backup resources, communication strategies, specific protocols for each department and contingency plans.

Supply chains don’t need to prepare for every emergency but should determine which events are the most likely or potentially destructive. These incidents deserve formal, detailed response plans, which all employees should know. To ensure ongoing efficacy, organizations should periodically review and update these plans.

Supply Chain Security Is Essential

If a supply chain experiences a security breach, it could affect far more than the logistics company itself. That risk, coupled with the rising trend of supply chain attacks, makes these security steps essential.

These seven points are not a comprehensive list of security procedures but cover the most important factors. Supply chain organizations should ensure they consider these steps and take further action if necessary.

cybersecurity
Archives, Global Trade Daily, Software, Special Reports

The Evolution of Cybersecurity

Leave a comment

Last year we saw cybercriminals seizing a massive business opportunity.

Our rapid shift to working from home due to COVID-19, plus heightened financial, political, social, and emotional stressors presented a perfect storm:

-The consumer-grade routers and electronics we use at home are inherently less secure than the centrally managed commercial-grade devices at our offices. 

-Many home networks are already compromised. In April 2020, BitSight found that 45% of companies had malware originating from an employee’s home network.      

-Social engineering hacks like phishing, vishing, and smishing thrive when victims are preoccupied or fearful. 

Our organizations became very vulnerable very suddenly, and bad actors did not hesitate to cash in. In March alone scammers ramped up COVID-related phishing scams by 667%. Overall, the FBI’s Internet Cybercrime Complaint Center (IC3) saw a 400% increase in reported cyberattacks in 2020. 

While the events of last year presented a unique scenario for all of us, the swift and aggressive response from bad actors is indicative of a trend that will, unfortunately, persist: cybercriminals have organized themselves into a successful enterprise that continues to innovate and evolve for maximum profit.

And that profit is sizable: According to a March 2020 study by Atlas VPN, cybercriminals bring in over $1.5 trillion per year in revenue—more than Facebook, Walmart, Apple, Tesla, and Microsoft combined.

Why does it matter?

Our only option when it comes to mitigating (not eliminating) the risk of a breach is to match ever-evolving threats with an ever-evolving security strategy.

Cyber defenses cannot be “set and forget” anymore; while antivirus software, firewalls, and active monitoring tools are essential components of that defense, they are no substitute for human vigilance. 

Not only that, but our concept of vigilance must recognize the potential for highly sophisticated cyber breaches that span weeks or even months. Instead of snatching valuable data in discrete intrusions, cybercriminals are siphoning it off via prolonged, methodical interactions with victims. One popular scam works like this: 

-The bad actor identifies who in your organization processes payments.

-They gain access to that person’s email account, generally through a standard phishing email.

-They monitor the email account over a period of time to identify high-dollar vendors.

-They craft a spoofed domain and impersonate that vendor (think accounting@optima1networks.com).

-The target receives an unassuming email from the “vendor” with instructions to remit future payments to a new account (guess whose).

-The target continues paying the fraudster until you or your vendor realizes the mistake.

These targeted exploits cost US victims roughly $1.7 billion in 2019, up 33% from 2018. 

Attacks like this harm your business in two ways: 

-Directly: In addition to funds stolen by a hacker, you may incur ransom payments, downtime while your data is recovered, and steep labor costs for emergency IT support. In the case of ransomware attacks, average downtime is 19 days, and costs to remediate average $730,000 for those who don’t pay the ransom, and $1.45MM for those who do.

-Indirectly: Your reputation takes a hit when news of a breach gets out (every state government requires some form of disclosure). Cybersecurity audits are becoming a popular precursor to business engagements and memberships, and 38% of businesses report losing customers because of real or perceived gaps in their cybersecurity posture.

While there will never be a silver bullet when it comes to cybersecurity, it’s imperative we adapt both our defenses and our mindset to best protect ourselves in this new landscape.

Our recommendations

More cybercriminals are entering the space, and they are more organized, disciplined, and persistent than ever. This means that our cybersecurity strategies must rise to meet this new challenge, and that what we used to view as “advanced” measures must now become our baseline.

At minimum, we recommend you implement the following:

1. Advanced Endpoint Protection on all machines accessing corporate data. Centralized anti-malware only checks for known virus definitions. Add Next Generation protection that uses Artificial Intelligence to flag all “unusual” behavior, and either kill the process or alert a Security Operations Center (SOC) to intervene.

2. Two-Factor Authentication (2FA). Strong passwords are no longer sufficient. Turn on two-factor authentication for any accounts and systems that don’t already have it. Check regularly to make sure all accounts are covered.  2FA makes it much harder for unauthorized users to gain access to your system even if they obtain your password.

3. Backup and recovery for all cloud apps. Most popular applications (like Microsoft 365) have some backup built-in, but in a limited capacity. Do you have sufficient retention policies? Would you be able to restore files encrypted or lost to malware? Protect your Microsoft 365 email, SharePoint, Teams, OneDrive, and other online apps with a supplemental cloud backup service.

4. Firewall with Intrusion Detection. An up-to-date firewall is a start, but we recommend also employing Intrusion Detection to monitor network traffic for potentially malicious behavior.

5. Security Awareness Training. In addition to annual training, continually feed your employees security tips, and continually test with phishing simulations. It is essential that security remains top-of-mind year-round.

There are several security frameworks like NIST, ISO, and CMMC that can provide structure to your security efforts even if you aren’t subject to compliance regulations. These can feel overwhelming to tackle, but the items above will get you well on your way to fulfilling the core requirements.

Beyond this, it’s critical to embrace the mindset that a network is only as secure as its users are vigilant and adaptive. The sophistication and sheer volume of today’s cyber threats demand that:

-Cybersecurity expenditures get their own line item in your annual budget.

-Your cybersecurity posture needs annual review as new threats are emerging all the time. 

Most importantly, you need a resource who is qualified to assess your specific business needs and construct a solution that coordinates the technical and human components of your cyber defense.

________________________________________________

Heinan Landa is the Founder and CEO of Optimal Networks, Inc., a globally ranked IT services firm, the creator of Law Firm Anywhere, a virtual desktop solution that helps attorneys work seamlessly and securely from anywhere, and author of The Modern Law Firm: How to Thrive in an Era of Rapid Technological Change. After earning his B.S. and M.S. in Electrical Engineering and Computer Science from Johns Hopkins University, Heinan went on to receive his MBA from The Wharton School of Business. Featured in Legal Management, Legal Times, Chief Executive, Inc. Magazine, Forbes, CIO, and with regular appearances on ABC7, CBS9, and FOX5 TV, Heinan is a trusted leader in the legal, technology, and business spaces. For more, www.optimalnetworks.com, 240-499-7900, or hlanda@optimalnetworks.com.

verification
Archives, Commentary, Global Trade Daily

Is It You Or An ID Thief? How AI Uses Document Verification To Keep You Safe.

Leave a comment

It’s a moment most people have experienced.

You’re required to show your ID for something and you wait as the person studies both your face and the photo on the driver’s license, passport, or another document, making sure you’re not an impersonator trying to pull a fast one.

These days, artificial intelligence is playing a role similar to that security person, with software that allows validation of IDs remotely through digital document verification. This way you can do business through your smartphone, and someone on the other end can make sure you’re who you say you are and that a thief hasn’t stolen your identity.

And that’s especially important at a time when identity theft has been on the rise, says Stephen Hyduchak, CEO of Aver (www.goaver.com), an identity-verification service.

“Fraudsters are getting creative, but so is technology,” Hyduchak says. “It’s important to keep up because there are so many ways to create fake documents that allow someone to claim to be you and maybe even get away with it.”

Hyduchak says there are a few categories of document fraud:

Illegitimate documents. These documents are completely false. They have characteristics such as missing holograms or other current standards that are essential parts of a legitimate version of that document.

False documents. This is a document that belongs to one person, but that another person tries to use in an effort to authenticate himself.

Modified documents. This is when an original document is altered. Hyduchak says the alterations can be caught with software that detects whether fonts and text match the originals.

How do fraudsters even get the ID documents to start with? Hyduchak says it’s a matter of data security breaches – and often a combination of more than one breach. He gives this example. Just recently, the cryptocurrency exchange Binance, using a third-party Know-Your-Customer (KYC) provider, was the victim of a hack that leaked over 10,000 photographs of purported Binance KYC data. This breach affected up to 60,000 people.

“On Binance, users buy and sell cryptocurrency, something that is privacy-centric by its very nature, but still vulnerable,” Hyduchak says. “Coupling leaks like this with major data breaches like Equifax and Target, our personal information can be manipulated for the fraud with some basic photoshop work.”

A digital verification process is one way to head off any subterfuge, Hyduchak says. For example, his company has a program that works this way: The user captures a picture of their ID or passport using their smartphone. The user then takes a selfie to verify they are the same person pictured on the ID or passport. Facial recognition software compares the images through algorithms.

“As time goes on,” Hyduchak says, “I think you are going to see digital facial checks become the standard for ID verification, and that will eliminate most types of fraud.”

_____________________________________________________________

Stephen Hyduchak is the CEO of Aver (www.goaver.com), an identity-verification service. Hyduchak worked in corporate finance for companies such as PRA Health Sciences before finding the entrepreneur bug. He began working on media and design for small businesses, which led him to consulting projects in the blockchain space, and eventually to founding Aver.