Any cyberattack is dangerous, but the particularly devastating ones are those on supply chain companies. These can be any supplier – digital or non-digital – of goods and services.
We saw several attacks on the supply chain occur in 2021 that had wide-reaching consequences. These are “one-to-many” attacks where victims can go far beyond the company that was initially breached.
Some recent high-profile examples of supply chain attacks include:
Some recent examples that have directly impacted dealerships include:
Because they’ve been growing and are expected to continue this trajectory.
Supply chain attacks rose by 42% during the first quarter of 2021. A surprising 97% of companies have been impacted by a breach in their supply chain, and 93% suffered a direct breach as a result of a supply chain security vulnerability.
If your dealership is not properly prepared, you can be impacted by a breach of software you use or have a vital service or goods supplier go down for several days due to a cyberattack.
As part of any good business continuity and disaster recovery strategy, you should look at supply chain risks in light of the current increase in attacks and formulate a plan.
You can’t fix what you don’t know is wrong. So, you need to begin by shedding some light on your risk should one of your dealership's vendors get hit with ransomware (the current attack of choice on the supply chain) or another type of breach.
Make a list of all your vendors and suppliers, both for goods and services. This includes everything from the cloud services you use to the company that supplies your office products or any materials you may use in a product you sell (ie, your parts inventory).
Review these vendors to identify their cybersecurity risks. This is something you may need some help with from your IT department or IT partner. They can work with you to review vendor security or to send the vendor a survey to find out where they stand as to their cybersecurity, and then determine how much that may leave you at risk as one of their customers or partners.
Come up with some minimum security requirements that you can use as a benchmark with your vendors. One way to make this easier is to use an existing data privacy standard as your requirement.
For example, if a vendor is compliant with certain frameworks, then you know they’ve adopted several important cybersecurity standards that protect their business, and yours, from an attack.
If the software you use had a vulnerability that was exploited by hackers to take over a system, how much does that leave your systems at risk? Do you have a regular patch application strategy in place to ensure any software updates are applied right away?
You should have an IT security assessment done if you haven’t done one in over a year. This will help you identify how strong your systems would be at preventing a breach or ransomware infection that was coming from a digital supply chain vendor.
If you sell equipment and have a single supplier for one specific part needed for that equipment, you’re at a much higher risk of downtime than if you had two suppliers of that part.
If a key vendor of yours is attacked and can’t fill orders or provide services for a week or more, how will that impact your dealership? This is what you want to consider when setting up backup vendors.
Look at putting this type of safety net in place for all vendors that you can. And then, train your team on the procedures for utilizing these backup sources so that you minimize the time it takes your dealership to pivot when the need arises.
Microsoft recommends in its Services Agreement that customers back up their cloud data that is kept in its services (such as Microsoft 365). The policy states, “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
In short, Microsoft isn't providing you with backups. If their systems go down - once they're back online, if your data is still there.... Great! If it isn't.... Well, it isn't Microsoft's problem.
You should have a backup (in a separate platform) of all data that you store in cloud services, so you’ll be protected in case of a ransomware infection or other data loss or service loss incident.
Don’t be in the dark about your risk. Schedule a supply chain security assessment to learn where you could be impacted in the case of a cyberattack on a supplier. Request your assessment today.