Enterprises have to defend their data from millions of criminal attempts to infiltrate their IT systems every day. But do you know who got the ball rolling, and why?
Blame Robert T. Morris. In 1988, the grad student set loose the first malicious code – reportedly to find out “how big” the internet was. Many people regard the Morris worm as the first cyberattack.
To find out what happened next, read on:
In its broadest definition, cybersecurity is the protection of digital networks, devices, programs and data from attacks. Such measures include technologies that offer multiple layers of protection. Some examples are firewalls (that allow or block access), encryption (making data unreadable to unauthorized users), and authentication (proof of identity). However, good cybersecurity strategy also includes policies and practices, so that users understand cybersecurity risk, how to defend their systems and why they must do so.
Back in 1988, in releasing the self-replicating worm, Morris’s stated aim was “to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects.” And it did. Within 24 hours, the Morris worm had spread to about 10% of the world’s 60,000 connected computers at the time, disabling most of them.
On the positive side, this early malware also triggered the start of an entirely new field, cybersecurity – which serves to safeguard today’s more than seven billion internet users. So perhaps instead of blaming Morris, we should thank him.
Discovering how cybersecurity started helps explain why it is important. Because not only internet use has exploded in the past 30 years, cyber risk has kept pace, and cyberattacks continue to evolve. So, when you understand cyber risks and cyber risk management, you can better protect your business and your supply chain.
Increasingly, your cyber risk strategy, or more specifically, cyber risk management strategy, must involve suppliers, vendors and any other third-parties in your supply network. Why? In our whitepaper Managing Cyber Risk in Your Supply Network we discuss what drives cyber risk, why it matters, and what you can do to protect your business. Here are a few highlights:
In short, cybercriminals seek out the weakest link in your supply chain to gain access to your digital systems, so your cyber risk and security may depend largely on how effectively you monitor your supply base. Greater visibility into your sub-tiers improves your cybersecurity risk management. Properly vetting suppliers’ cybersecurity, cyber risk management and data protection measures can save you money and save your reputation.
Using The riskmethods Solution™ you can continuously monitor cyber risk in your supply network – and demonstrate proactive risk management.
To be effective, cybersecurity combines technology with human behavior. The most advanced firewalls or antivirus software are not secure if staff are not aware of or do not follow data protection policies.
Even if your enterprise has advanced cybersecurity policies and technology in place, you might have sub-tier suppliers unable to protect their networks, for reasons including technology failure (incorrectly configured software), lack of resources (not enough staff, outdated patches), lack of awareness (insufficient knowledge or low priority). The broad attack field means that cybersecurity risks for businesses are much more multilayered than in Morris’ student days.
Yet cyber supply chain risk management is not all doom and gloom. In today’s increasingly digitalized procurement environment, it offers solid business benefits as well:
With a cybersecurity risk assessment, you take a close look at your – or your suppliers’– level of risk preparedness. To identify and rate cyber threats and vulnerabilities, independent auditors or cyber risk management companies review the relevant IT-infrastructures. Many cybersecurity specialists rely on the international standard ISO/IEC 27001 2013, which details specifications for managing risk in an information security management system.
As with any risk assessment, when assessing cyber risk, several aspects are essential:
For greater details, you can download cybersecurity risk assessment pdf offered by government agencies or cybersecurity companies. And, because cyberattacks on supply chains are increasing, a cybersecurity assessment is critical. This is also why cyber risk assessment needs to be anchored in your supplier evaluation and third-party risk management. If your suppliers are hit, you too are likely to suffer the consequences.
Attacks continue to evolve, so it’s difficult to name the top 3 cybersecurity threats. The following types of attack are among the most common cybersecurity risks:
The list of cybersecurity threats is, of course, much longer. The riskmethods Solution automatically provides you an instant risk evaluation of any vulnerability in cybersecurity, as well as real-time warnings of cyberattacks in your supply network. And you can seamlessly integrate additional specialized cyber risk intelligence from our partners, including BitSight Security Ratings and IntegrityNext.
Cyberattacks are powered by increasingly advanced software and bots, but threat actors often bypass security technology by manipulating users. In fact, most data breaches can be traced to human error. Employees are fooled by phishing (fake sites or emails), they use insecure passwords, of fall victim to social engineering, when hackers speak or write to users to get access to IT-systems. Just one person’s mistake can infiltrate your entire network and put sensitive data at risk.
Awareness is the first step to managing cyber threats. To reduce cyber risk, staff must be trained on the need for cybersecurity. And training must be ongoing, to keep pace with rapidly evolving technologies and tricks.
But that’s not all. Mistakes when handling data may have legal consequences, including fines. And when your customer data is handled by a supplier, they might unknowingly breach the General Data Protection Regulation (GDPR), for example, which mandates the controlling and processing of personally identifiable information, as well as reporting cyberattacks and notification of breach.
By the way, Morris was the first person sentenced under the then-new US cybersecurity bill called the Computer Fraud and Abuse Act (CFAA), which prohibits accessing protected computer systems without authorization.
Cybersecurity management for your supply chain management cybersecurity is one focus of U.S. National Institute of Standards and Technology (NIST). Their cybersecurity specialists have developed a five-point framework of voluntary guidelines for reducing cyber threats and vulnerabilities in critical infrastructure – including supply chains.
You’ve probably noticed that the NIST framework contains many aspects of sound supply chain risk management. And indeed, integrating cybersecurity into your supply chain risk management is critical for protecting your business resilience.
And speaking of resilience, did Morris bounce back? The early bird of cybersecurity now belongs to the faculty of Electrical Engineering and Computer Science at the Massachusetts Institute of Technology (MIT). With luck, he’ll be the first to catch today’s runaway worms.