TT Talk - Real risks of e-crime in the supply chain
Scarcely a week goes by without media highlighting some element of cyber risk. Focus is generally given either to 'national security' issues or scams impacting personal financial matters. While businesses are revealed as vulnerable to breach of data for these purposes, there may be complacency concerning thorough risk assessment and mitigation programmes, particularly in industries - such as the international supply chain - where the customer and supplier relationship is historically more secure.
There is arguably a need to re-define and re-calibrate what is commonly termed as 'cyber risk'. Businesses in many sectors - and the international supply chain is not immune - are in danger of seeing both 'Edward Snowden' type headlines and 'Heartbleed' malware as matters for others to manage, whereas the reality is that the risks that fall between the extremes of national and personal security require all the usual risk management techniques and continuing consideration of a broadening spectrum of risk exposures.
Containerisation & internet are siblings
It is perhaps sobering that the internet was first created at the dawn of containerisation; both have had a profound impact on international trade. While trade facilitation is, of course, far broader than the unit load, the solutions that have been developed over the ensuing decades to enable efficient and timely cross-border transacting have become almost entirely reliant on electronic communications. However, as the unit load industry has questioned its innate tolerance of poor packing practices over the last few years, so the internet's inherent and deliberate connectivity has been challenged by the relative inability to keep matters secure.
"efficient and timely cross-border transacting has become almost entirely reliant on electronic communications"
At an individual level across the globe, we are increasingly aware of our connection to the internet, not just in communications, shopping and banking transactions, but increasingly the ability to control our 'stuff' remotely - the 'Internet of Things' is becoming reality. Equally, there will be an awareness of 'security' and the need to act on that tedious advice to change passwords regularly and somehow maintain an increasing variety of codes in our heads.
'e' merely facilitates crime
Of course, 'cyber' or 'e' risks have resulted in an industry devoted to providing increasing layers of security, and legislators have weighed in with data protection requirements and are moving towards liability regimes to match. In the meantime, electronic transactions continue unabated, despite the fact that identity theft has become big business across the world - apparently Interpol maintains a database of 40 million lost and stolen travel documents from 157 countries. Reality in a corporate environment might be better served by selecting terms that are less to do with warfare - 'cyber-attack' - and more closely reflecting what is happening: it is about crime and perhaps it should simply be recognised as 'e-crime'.
"Criminals have been swift to leverage the capacity of the internet to obscure identity and location in order to carry out crime and espionage"
Criminals have been swift to leverage the capacity of the internet to obscure identity and location in order to carry out crime and espionage. The very nature of the international supply chain in facilitating movements across borders is an ideal partner to fulfil trafficking of people, drugs, and other illegal trades, such as dumping waste, as well as intercepting valuable cargoes. Criminal organisations are known to have employed hackers to facilitate the trafficking of drugs by compromising IT systems at the destination port in order to generate release codes, allowing the subject containers to be collected. TT Club has also highlighted concerns arising from bogus trucking contractors, particularly through cargo clearing sites.
Thus, it is clear that the internet facilitates what might be termed as 'traditional' crime in the supply chain, which would include theft and smuggling activities. However, these activities also reveal new risks in relation to 'malware' to the extent that infiltration of an entity's IT infrastructure has been shown also to grant access to broader information and data. It is critical that this risk is recognised since it exposes businesses to both loss of reputation as well as industrial espionage. Never underestimate the value of the data your business retains or generates electronically. Whether intellectual property, financial information or your customers' commercially sensitive data, even what appears to be the most benign information can prove extremely valuable to a criminal organisation. Data are everywhere and the lifeblood of most organisations.
"Never underestimate the value of the data your business retains or generates electronically"
Risk mitigation - nothing new
Experts in this niche of security appear consistent that many of the protections are simple but require on-going diligence. Symantec reported recently in
Part 1 of its Web Security Threat Report 2014
that 78% of website scanned contained vulnerabilities, of which 16% were classified as critical, allowing criminals to 'access sensitive data, alter the website's content or compromise visitors' computers'. As such, strengthening the e-perimeter fence is required, twinned with internal mechanisms that ensure only approved software programmes can be run on systems/networks and educate employees about the risks. Three further IT infrastructure mitigations are commonly highlighted:
- Implement technologies that prevent or monitor attempted installation of non-standard software;
- Maintain policies to ensure regular 'patching' of implemented software and operating systems;
- Restrict to the minimum the number of 'administrator' privileges and maintain auditable controls over their use.
As with the physical environment, the human element is a critical strength and weakness. Effective induction and performance management will mitigate both direct and contract staff risks. In the electronic environment, this can be reinforced by network monitoring of activity and behaviours, in addition to appropriate segregation and set-up of access rights.
A further risk management step is to ensure that there is resilience; as with other aspect of operations, develop contingency and recovery plans, and ensure that it is tested on a periodic basis.
Make e-security integral
The supply chain relies in the ability not only to move goods efficiently around the globe, but also ensuring that appropriate data about the goods and the modes of carriage are conveyed in a way that enables the fulfilment of the underlying contractual and regulatory obligations. Technology is fundamental to this equation; optimisation of processes is most commonly focused on increasing productivity and reducing cost. Reliance on automation and remote monitoring is only set to increase, let alone the pressure to integrate more closely with partners and contractors.
While there may be sparse evidence of regular breaches in the logistics supply chain, it could be prudent to invest some of the thin margins in effective e-security. Criminals are becoming ever more professional and e-crime can be expected to grow.
"Criminals are becoming ever more professional and e-crime can be expected to grow"
We hope that you have found the above interesting. If you would like further information, or have any comments, please email us, or take this opportunity to forward to any colleagues who you may feel would be interested.
We look forward to hearing from you.
Peregrine Storrs-Fox
Risk Management Director, TT Club