The Freight Airport Transport industry in the UK is flourishing, with a market size measured by revenue of £1bn in 2022, and growth of around 3.4% per year on average between 2017 and 2022. Having recovered from the devastating impact of the covid pandemic, the air freight industry is facing a new and even more devastating challenge in the form of more frequent and pervasive cybersecurity breaches.
The UK had the highest number of cyber crime victims per million internet users in October 2022, 40% higher than 2020 figures according to AAG’s 2022 cybersecurity statistics. The US had the second highest number of cyber crime victims per million internet users, leaving both with a disproportionately higher number of cyber crime victims compared to other countries.
Cyber attacks against ports, airports and other critical logistics infrastructure have increased dramatically, with data revealing that the aviation sector faces a random ransomware attack every week. Aviation veterans including EasyJet, British Airways and several major UK airports have all been subject to devastating cyber attacks in recent years. In the past week alone, the UK has switched to high alert as it prepares for a fresh wave of Russian-led cyber attacks on air traffic control, amongst other targets.
In a bid to address such threats, almost every large company today conducts extensive due diligence on a supplier/vendor before selecting them to provide materials, components, services, software, etc. And, almost every large company’s due diligence process contains an IT security diligence section. While that is a great start, it is simply not enough, and businesses know it. In fact, recent research suggests over 80% of transport and aviation cyber leaders feel they don’t have sufficient visibility across the IT/OT boundary, or over all end user networks and systems.
The reality is that supplier business practices and processes will inevitably change. But almost no company requires its suppliers to periodically update the IT security diligence data. Therefore, process changes go unreported and un-monitored. In addition, many companies collect IT due diligence data in spreadsheets or documents that, after the initial review, are filed on a server and essentially forgotten. When new attacks surface, there is no infrastructure in place to flag potentially vulnerable suppliers, leaving the door wide open for cyber criminals to wage war on a company and all those connected to it.
Read more: How AI and automation will transform businesses and revolutionise operations
Taking a proactive approach to cybersecurity risk in supply chains
Cyber attacks are taking an unprecedented financial toll on companies, with the price of ransomware mitigation measures alone expected to reach $20 billion a year globally according to AAG’s 2022 cybersecurity statistics report. It is therefore imperative that they proactively address supplier-induced cybersecurity risk. Businesses can no longer wait for an incident to occur before reacting. It is also insufficient to expect all suppliers to always “do the right thing”. A company must take responsibility for monitoring its suppliers’ cybersecurity practices and processes, and continually push vulnerable suppliers to improve their processes.
Read more: Era of sustainable aviation arrives
Six ways to minimise cyber security risk
Make cybersecurity disclosures mandatory for every supplier (big or small)
When it comes to security, a company is only as strong as its weakest link. Therefore, a company must aim to incorporate all of its suppliers and vendors into its processes, regardless of the type of software or service they provide. It’s often the smallest links in the chain that can cause the greatest collateral damage.
Implement an extensive set of analytics on the collected data
These analytics must be designed to highlight key areas of vulnerabilities in suppliers’ processes. It is important that the analytics not be superficial. They must be detailed enough to pinpoint the deficient process areas. A single number indicating a supplier’s ‘Cyber Security Risk’ is a good start, but not sufficient alone. Rather, the analytics must highlight a weakness in a specific process that the supplier implements, e.g. employee onboarding, destruction of sensitive material, etc.
Drive corrective action down your supply chain
Almost every company has a process in place to assist suppliers to address process issues, whether they are related to quality, delivery, service, or something else. A commonly used process is a ‘Corrective Action Report’ where the company issues a report to a supplier detailing the problems it has identified in their processes. The report includes steps the company expects the supplier to take to address the issues, deadlines, and the actions the company may consider taking should the supplier not take appropriate action. The same or similar processes can be implemented for cybersecurity process issues.
Maintain current information about processes and software versions
A company can implement extensive analytics and processes. But, if it does not have the latest information from its suppliers, it leaves itself open to cyber attacks. Ideally, the company should implement data refresh as a part of its standard process, usually every six months.
About the Author
Bindiya Vakil is the CEO and founder of Resilinc and is an award-winning expert in supply chain risk management. Crowned Supply & Demand Chain Executive’s inaugural Woman of the Year in 2020, Bindiya’s career spans 20 years. She holds a master’s degree in supply chain management from MIT and an MBA in Finance. Bindiya continues to lead the market in risk intelligence and mitigation and is credited with bringing supply chain risk management into the mainstream. For more information visit https://www.resilinc.com.