What is your Organization’s Approach to Cyber Security?

There are as many different approaches to an organization’s cyber security as there are organizations themselves.  The business leadership may have some InfoSec expertise, they may understand the value of data, business processes, they may have a thoughtful, measured approach to protecting information assets… or, they may not.

They may understand the threats and risks that they face, and the impact of breaches, or they may not.  Worse yet, they may believe that they have solid governance on the security of their information infrastructure, or they may not.

Key Questions

Ask yourself, “What is my (or my leadership’s) approach?”  To get to the answer, you might want to consider the following:

  1. What percentage of executive leadership is confident and/or fluent in information technology?
  2. What percentage understand the true critical value of information assets?
  3. What would really happen if there was a breach?
  4. Are there more business-related issues that are more important to address now, than protecting information assets?
  5. Has the business ever complained that InfoSec is all cost, with no apparent benefit?

The answers to these questions can be very telling.

Case Study

Let me describe two different approaches, recently taken by two different organizations in the same industry.

Let’s refer to these example organizations as Alpha and Bravo.

Alpha has a large organizational structure.  They have company leaders for the various lines of business. There is a CIO, various IT teams and a whole lot of infrastructure, and a lot of politics with incredible organizational inertia.  Most of the leadership is non-technical, however, and they believe that IT represents a huge cost.  Despite this, they have invested huge sums of money over the years in the infrastructure.

Bravo is smaller.  Each of the leaders covers a wider portfolio.  They are closer to the day to day business.  Yes, there are office politics, and they do invest considerable sums in IT infrastructure.

Both organizations are successful in their industry and well respected.

Not long ago, Alpha was hit with ransomware. It was bad. Immediately after the initial infection, the malware spread to most of the servers.  The result was catastrophic.  Most users were unable to log-in, conduct business, or even access email for up to a week.  The business came to a screeching halt for a week.

Not long after, Bravo was also hit by similar ransomware.  Hardly anyone noticed. The impact was limited to a single end-point device, which was restored in an afternoon. No business was lost.  In fact, no-one in the IT department thought it was significant enough to notify senior management. They never even knew it happened.

So, what was the difference?

Alpha has a large, diverse infrastructure. They spent proportionally more than Bravo on expensive perimeter prevention, detection, and monitoring.  However, when the malware did eventually get in, they had very little ability to limit its scope.  This is due to the following: at Alpha, most user departments control infrastructure in their own areas, and many users routinely run with admin rights.  As a result, wildly different controls exist in various parts of the business, and the entire operation is very disjointed with multiple vulnerable points of entry for ransomware.

Bravo also had decent perimeter controls.  But, their approach focuses on limiting the scope of impact.  Hardly any users have admin rights on their machines, and networks are heavily segmented. Access to information is controlled.  The network runs on the assumption that any end-point may be compromised.

Bravo effectively dealt with the ransomware because it had tighter controls on its administrative privileges and network securities.  Alpha, in turn, was spread thin with the design of its infrastructure – due to lack of leadership knowledge on the subject – thus, it took longer to eliminate the threat.

Bravo’s pragmatic view was simply this.  Protect the perimeter to minimize incursions, but assume the incursions will occur, and work hard to limit their possible impact if (when) they do.   What would happen if some malicious actor got behind your perimeter defenses?

This article was written by Dave Ehman, an expert in Cyber Security, Aerospace and It technology, and the CTO of Centry.

The Value of Secure Logistics Supply Chains

The Cost of Unsecured Supply Chains

Every single one of us partakes in logistic supply chains. Therefore, we are all affected when their security is breached. The consequences might include loss of production, reputation damage, or price changes at the cash register.

Different studies have researched the amount lost due to thefts and other breaches of security in supply chains. In 2007, the European Union concluded that the total loss is around 8 billion euros annually within the EU from breaches during road transportation. However, that statistic is from ten years ago, so there is a real need for new data. The Transported Asset Protection Association (TAPA) recently commissioned a group of academically distinguished supply chain professionals to study the total cost of cargo theft. A few examples of economic loss that TAPA investigates includes the cost of reproducing lost assets, re-transportation, and destroying damaged goods.

Small deficits here and there end up causing exponential loss in the long run. As such, it is imperative to have secure logistic supply chains.

Common Examples of Compromised Security

During the years that I have worked in logistic security consulting services, I have noted several common themes in compromised security situations:

  1. Lack of Security Awareness

Companies are not aware of the threats to their operating environment. This manifests as undervaluing or compartmentalizing the issues so that they do not seem to affect the local environment. Sometimes this idea can even be somewhat correct – nothing has happened to them. The question is, how long can you operate on sheer luck?

  1. Uncontrolled Sub-Sub-Contracting

Producers of goods subcontract their delivery services, which is, of course, logical. However, the real service provider for transportation is not always known, as it might be a sub- or even a sub-subcontractor for the company sold the service in the first place. Subcontracting chains are the part of the logistic industry that makes it efficient. These chains just need to be documented and controlled, so that the entity that is at least morally responsible in the eyes of the public remains in control.

  1. Inefficient Use of Resources

Inefficient use of resources manifests both as under- and over resourcing individual sections of security environments. Under-resourcing happens when issues are knowingly or unknowingly overlooked. Over-resourcing happens, when there is an awareness of the issue, but there is no comprehensive way to tackle it. This manifests, for example, with investing into the wrong equipment that does not meet the set requirements. The result then ends up being that the budget allocated for security improvements has been exhausted with no real solution reached. The options after that are to ask for more resources or just wait and hope that nothing happens.

  1. Trying to do everything by yourself

This is a big question in business overall – when is it worth it to do things yourself and when should you contract someone else to do it? There are multiple situations where working independently is successful. However, this requires someone internally to either have experience on the subject or have the drive to acquire the necessary knowledge. If these capabilities are not found, then the result might be what was described in section 3. Some might think that the following statement is something that consultants use to make their sales, but the harsh reality is: We are usually called in when things start to crumble. Unfortunately, this can end in a situation where the solutions are somewhat of a patchwork that tackles the most immediate issues, or the target is misunderstood, which causes inefficiencies.

What’s the Solution?

One of the best solutions to enhance security in the field of logistics supply chains is European Union’s Authorized Economic Operator (AEO) Program. It is part of a global program to secure our logistic chains against trafficking and financial fraud. The benefits for passing the audit and complying with the requirements of any of the official Customs security program are the same: The authorized company has a lower risk and threat evaluation, which for example lowers the chance and the amount of inspections conducted against their transportation units. According to a Stanford University study, this speeds up logistic chains which can lead to higher customer satisfaction.

Fortunately, there are some easy steps to take that clear the way for more comprehensive and long-term solutions. These solutions ensure that they support the primary business, which is always the goal for security.

  1. Map out stakeholders and subcontractors

Get the big picture of who has a stake in your supply chain. These entities are the ones that determine your business and therefore security environment.

  1. Make a clear decision to take control over your security

This decision is a requirement, and the policy makers must be onboard. The strategic goals are decided, documented and discussed so that there is a clear picture what needs to be done. A crucial part here is to assign the responsibilities and determine a follow-up schedule. If the goals are not met during follow-up, there must be a stated reason for it.

  1. State your security requirements for service providers and subcontractors

A clear statement of your requirements regarding security and practices of doing business makes everything easier. The following statement should be included in any service and subcontract agreement “Further subcontracting of any of the mentioned services in this contract is allowed only with the written consent of the customer.”

  1. Train your employees

Continuous training and dialog between employees in matters of security ensure that you gain the up-to-date information of the environment you operate. Training and dialog build trust that is a key component for a successful business.

  1. Contact specialized service providers as early as possible

You are always required to do certain things by yourself, but contacting a dedicated service provider as early as possible will save you time and money. The situation in many cases is that the required field of security is something new to you. Let someone with experience in the field help you in your way towards success.

How We Can Help

We at Centry have helped multiple companies, small and large, to enhance their security environment and meet specific security requirements.  The process has always shined a light on common obstacles faced by corporations. These obstacles are usually always able to be resolved, which has ensured the attainment of desired benefits.

Centry is equipped with multiple security consultants that can train clients in acquiring AEO certification.

This article was written by Vilho Westlund, a specialist in logistic security consulting at Centry. He has utilized his work experience to share some valuable information about security in supply chains.

For any questions and comments, please contact Vilho at:

www.linkedin.com/in/vilhowestlund

 

Quick Tips to Recognize Third Party Risk

Company risk manifests in a myriad of ways, some seemingly easy to overlook and others more obvious.

One of the biggest risks in day to day operations for companies comes from third parties – distributors, potential employees, suppliers, service providers, contracts, clients, vendors, etc. Basically, anyone on the outside who encounters your business can potentially become a threat.

Risk Categories

  • Commercial: They sell products and services to foreign officials and commercial parties (agents and distributors)
  • Regulatory: They assist in securing regulatory approvals, permits and licenses (visas, customs, permits, licenses, and other government interactions)
  • Vendors/Suppliers: These have close relationships with the business or offer unique services/products
  • Professionals: These are lobbyists, lawyers, consultants, accountants, tax professionals (can be high-risk depending on country and interactions)
  • Nominees: Local officials serving in limited authority positions with little ability to bind the company (depending on power of attorney and authority to spend)

With such broad classifications, how is it possible to recognize the difference between a compliant partner or a business relationship that has the potential to pose a risk to your business? Well, here are some things to watch out for.

Red Flags

  1. Reputation

Before conducting business with a third party, one should make sure that the entity in question is reputable in their industry. Are they on any Sanction Lists? Have there been any litigations related to them? Keep in mind associating with a business that has a poor reputation may impact your company’s reputation and ability to market as well.

  1. Connections to Government Officials

Is the third party connected to a government official, or worse, recommended by one? A common example of this usually is when someone in the senior management of a company – or a beneficiary of it also holds political office or familial connections to someone in office.

  1. Geographic Risk

Is the third party in a country or region of the world that has known issues with corruption, war, or sanctions? How does the country of your business relate to the geographic place of the third party? Something else to consider is whether or not it is hazardous to send your employees to this region.

  1. “Shell” Companies

These are companies that exist on paper – registries, in someone’s name, etc. but do not exist in the real world. Often their registered addresses are apartments or other home residences, or buildings that have no documented signage for the company. Another thing to look out for is that most Western companies utilize the internet and have a presence on social media, and so being unable to identify them online should raise “red flags”.

  1. Information that is inconsistent, false, or incorrect

Information that a third party gives you about itself should be compared with information from other sources to validate it.

If you feel that there is a third party that may pose a risk to your organization, do not hesitate to contact us at info@centry.global, where a professional from Centry will be happy to help.

This article was written by Kristina Weber, Content Supervisor of Centry. She holds a Bachelor’s Degree in History from the University of Calgary.