A procurement manager at a mid-size company receives a text message from the CEO saying that their warehouse vendor is offering a 30% discount if they pay their invoice by Friday.
The text message includes a bank account number. Although the procurement manager is suspicious, he decides to wire the money a couple of hours later, assuaged by a voicemail from the head of the company again asking to pay the invoice.
Shortly after the money is sent, it's revealed the entire interaction was a sophisticated phishing scheme. A bad actor determined the name of the company's warehouse vendor, and then sent a voicemail by manipulating the CEO's voice using clips from public appearances and earnings calls.
The scenario, a real-life example provided by SANS Institute Director of Emerging Security Trends John Pescatore, illustrates how phishing schemes and cyberattacks targeting supply chains have become more sophisticated in recent years.
And supply chain attacks, which occur when an attacker infiltrates a system through an outside vendor, are only expected to continue. The Identity Theft Resource Center, which tracks publicly-disclosed breaches, found that the number of compromises in 2022 resulting from supply chain attacks far exceeded those linked to malware. Not only that, but the number of supply chain attacks in the first two months of 2023 is also already 40% of last year's total.
Pescatore joined the cybersecurity training provider SANS after 13 years at Gartner, and has worked with dozens of companies of all sizes to prevent their supply chains from becoming compromised. In a conversation with Supply Chain Dive, he provided more insight into why business leaders need to take supply chain security seriously and what they can do to prevent an attack.
A cybersecurity 'weak link'
Supply chain security garnered national attention in 2013, when a cyberattack against Target exposed financial and personal information of as many as 110 million customers. The attacker was able to gain access to Target's computer system due to the weak security of one of the retail giant's HVAC vendors.
Since then, other major breaches have wrought devastating effects on businesses. A high-profile attack against Colonial Pipeline, for example, led to gas shortages and higher prices on the East Coast after the oil supplier decided to shutter operations to prevent the hacker from accessing systems controlling fuel delivery.
Businesses are often so preoccupied with protecting the integrity of their own products that they can forget that tech is also part of their supply chains. From ERPs to digital tools that simplify payroll, companies could be using hundreds of different software applications, and each is a point of vulnerability.
Even if one system goes down, it could mean "you can't ship," Pescatore said. "Software is at least as critical as physical products in the supply chain."
As bigger companies take more measures to beef up cybersecurity, hackers are now focusing their attention on exploiting vulnerabilities within a business' tech suppliers. That has placed greater pressure on procurement to work closely with cyber teams to properly vet software providers.
"The bad guys are always trying to find a weak link in the chain," said Pescatore. "And that's been the supply chain."
Protecting the supply chain
Accelerating attacks against supply chains have caught the attention of federal officials. The Cybersecurity & Infrastructure Security Agency created a supply chain risk management task force in 2018, and is set to create a permanent supply chain office this year, according to trade publication Federal News Network.
But businesses can also do more to guard against an attack, from sending employees phishing tests to revamping the tech procurement process.
Here are a couple of steps Pescatore recommends procurement managers and businesses take:
- Map out your tech suppliers: Just like for other parts of the supply chain, procurement should have a good grasp of each tech provider a company uses. That includes understanding if the tech suppliers are legitimate.
"A software supplier literally can turn from five guys in a garage to a major company six months later," Pescatore said. "So procurement has to figure out how to know whether the software product is of quality, and not littered with vulnerabilities."
- Add cybersecurity to supplier contracts: More businesses are asking their tech suppliers to provide a Software Bill of Materials, which details the various components used in building software. Beyond that, Pescatore recommends that procurement teams require suppliers to test the product for vulnerabilities before they are shipped out.
"If a supplier refuses, you should say: 'Why are we buying software from a company that's not even testing their own products?'"
- Train and empower employees outside procurement: Not every purchasing decision will be run through the procurement team, making it more important for employees across the entire organization to understand the importance of cybersecurity.
Risk rating companies, for example, can allow business managers to easily grade the security of whatever tech they're about to purchase using publicly-available data.
"You can go to a business unit manager and say: 'Whenever you choose a supplier you have to check this. If their score is above a certain amount, go for it," according to Pescatore. "Although these rating companies aren't perfect, they bring some basic level of supply chain security."
Ultimately, Pescatore says the most important step to shore up security is opening communication and collaboration across business departments — especially between IT and procurement. Security and business teams need to work together in order to ensure systems are secure, cost efficient, and provide real value.
"The supply chain is complicated and a lot of different people play different roles," said Pescatore. "Typically the hardest job in security is trying to get everybody together to agree on something."
This story was first published in our Procurement Weekly newsletter. Sign up here.