Cyber Vaccination

As the COVID-19 pandemic continues to disrupt socioeconomic stability across the world, organizations are taking unprecedented steps to remain operational. Companies are increasingly dependent on remote-working practices and relying on dispersed digital infrastructure for their employees, third-party suppliers and service providers.

Cybercriminals are exploiting this dependency on work-from-home technologies through increased attempts of phishing, and malware and ransomware attacks.

Several government organizations such as the U.S. Federal Communications Commission and the U.S. Department of the Treasury and global organizations such as the United Nations have issued advisories on the magnitude of cybersecurity threats.

Check Point, a cybersecurity firm, recently said in a report that more than 4,000 coronavirus-related domains have been created since January 2020.¹ Such domains are 50% more likely to be malicious, creating an urgent need for organizations to take proactive measures to protect their data and network from potential cyberattacks, the report added.

While the key challenge for companies is to keep the business running, those that do not have the necessary safeguards in place are the most vulnerable to cyberattacks.

Our focus, in this bulletin, is to help break down the sources and the nature of cybersecurity risks, and recommend immediate measures companies can take to mitigate these cyberthreats. The bulletin is expected to resonate with companies across all industries. The recommended measures are, however, best suited for organizations with nascent or upcoming cybersecurity programs.

This is an enterprise-wide challenge that requires collaborative effort from different parts of the organization — from enterprise security and human resources to procurement. Here are three areas of focus on cybersecurity:

1. Security threats may arise from your third-party suppliers

Threats to an organization’s cybersecurity often trickle down from its supply chain or value chain. Cyberattacks can be propagated through suppliers that have access to your system or data. The pandemic has forced companies globally to operate under unconventional setups, creating potential cybersecurity vulnerabilities through any of their suppliers that fail to implement a secure work-from-home program. While actively monitoring internal security controls of your critical suppliers is paramount, here are some additional steps organizations can take to establish a centralized approach to protect their data and systems from potential supply chain breaches:

a.  Assess all suppliers directly involved in operations. Identify vendors that are critical to uninterrupted operations and have access to the company’s confidential data, systems or applications.

b.  Evaluate the vendor’s current information security program. In partnership with business leads, evaluate whether changes to remote working setups are affecting the vendor’s ability to adequately protect the company’s data with secured access. Procurement can also facilitate this process with the vendors. Conduct regular and stringent reviews of the vendor’s business continuity plans and security program updates. The aim should be to find out if any critical vendor does not have the necessary security controls in place to operate in a protected setting, and take action accordingly.

c.  Partner with procurement. If a vendor fails to adequately adjust its protocols to prevent potential cyberthreats, the business should partner with procurement to plan for rapid sourcing from alternative vendors. Procurement is usually well-suited to lead such efforts because of its market intelligence and knowledge of external supply market. Sometimes, an existing vendor in another business unit can be leveraged to provide adjacent service. Also, pay attention to system availability SLAs stipulated in your supplier contracts and accordingly plan for remediation.

d.  Review supplier scorecards and standard contractual language. Strengthen your long-run cybersecurity and third-party risk management program² by monitoring supplier scorecards and contractual language around information security. There should be collaboration across the organization to establish objectives and identify best practices for cyberthreat management.

2. Check if your organization’s network security is suited for work from home

Remote working has forced employees, contractors, and third-party suppliers to connect to the organization’s IT infrastructure through personal internet networks with varying levels of security controls. Moreover, employees are increasingly relying on collaborative online tools to manage projects, teleconferencing software to conduct meetings and other web and mobile-based applications. Such circumstances increase the risk of a network breach due to lack of centralized network control. Enterprise security teams face the challenge of implementing security controls for an extremely dynamic network setup.

Our recommendations for network security measures include:

a.  Setting up Virtual Private Network (VPN) access for key business applications to reduce unsecured data transmission and the risk of unfettered interception.

b.  Evaluating employee and supplier access levels to critical IT infrastructure and creating checkpoints to provide access approval on an “as needed”’ basis.

c.  Extending typical network security stress tests beyond laptops and workstations to mobile phones and tablets to ensure substantial safeguards from malicious apps.

d.  Actively sourcing secure software solutions with the help of procurement to strengthen the organization’s IT infrastructure, such as data backup, endpoint recovery and protection and privileged access management.

3. Manage COVID-19-related communication to prevent phishing and malware attacks

The need for updated information on COVID-19 is currently driving a significant portion of internet traffic. Cybercriminals capitalize on this and find ways to create false digital identities impersonating a federal or a local agency providing “vital information” or acting as a non-profit organization in need of immediate relief. Here are measures organizations can take to prevent employees from falling victim to such traps:

a.  Educate employees on safe online behavior and set up a process to report threats

b.  Create centralized communication channels for everyone to stay informed. Set up internal forums to facilitate discussions on COVID-19-related topics

c.  Conduct mock phishing experiments to test vulnerabilities and provide employees learning experiences

Cybersecurity risk isn’t just an IT problem. A combination of operational and technological measures, behavioral changes and access to information can create an effective cyberthreat mitigation plan. For many organizations, the COVID-19 crisis has presented an opportunity to kick-start a broader risk management program.

References:

1.  https://blog.checkpoint.com/2020/03/05/update-coronavirus-themed-domains-50-more-likely-to-be-malicious-than-other-domains/

2.  https://www.gep.com/blog/strategy/supplier-risk-management-using-data-technology-part-1

RAPID RESPONSE SOLUTIONS FROM GEP

As the coronavirus crisis intensifies, managing your supply chain is going to get even more challenging. It may be worth finding a partner with deep experience in procurement and supply chain management to reinforce your capabilities and help you stay on course.

If you would like to have a conversation about how we can help, please reach out to our supply chain leadership.

LET'S TALK  

Ian Cotter

Senior Director, Consulting

With over 11 years of experience, Ian is a leader in GEP's Financial Services practice and works with his client's senior leadership in: Procurement Transformation Strategy and Planning, Digital Transformation, Third-Party Risk Management, Spend Analysis, Strategic Cost Reduction, and Strategic Sourcing. Ian previously worked at Accenture in Dublin, Ireland.