As 2021 wound down, many of us in the cybersecurity industry made predictions about continued attacks against targets positioned within supply chains. These supply chains can be very diverse, as wide-ranging as the energy, software, healthcare, and electronics industries, but they all present an irresistible target for threat actors. The reasons for this are pretty straightforward: threat actors want to generate havoc, confusion, and pressure placed against the target of attack. Nothing puts the heat on an enterprise quite like a supply chain, with multiple suppliers and vendors upstream and downstream pushing products along the line to ready consumers at the end of the chain, who definitely feel the pain when the supply chain is disrupted or even halted. For any organization within a supply chain, then, the writing is on the wall. A data breach isn’t a matter of if but when, and when it does, it can threaten the entire chain up and down the line.
These predictions bring context to a recent report about an unprotected database filled with hundreds of thousands of records and what seemed to be ample sensitive information related to the trucking and transport industry. An organization which creates “trustworthiness” reports for the industry purportedly was referenced multiple times within the dataset, along with account information, Tax IDs, and even potentially SSNs, which were all stored in plaintext. Perhaps the lack of password protection was due to human oversight and error, which is by the way still a major cause of data breaches, but the fact that such sensitive information was not guarded with robust data-centric security — with tokenization or format-preserving encryption applied directly to the data — would be a huge risk to any organization, especially within supply chains that are so often now the center of threat actors’ attentions.
Again, these attacks against businesses positioned within supply chains will not abate. As exemplified by the example above, these enterprises collect and house too much sensitive data to ignore as they execute their core business of contributing to the supply chain they’re part of. If threat actors can get into these data environments, they can do a number of things. One, they can abscond with any sensitive information they find and use it for blackmail, phishing, data portfolio building, or some other nefarious purpose. Two, they can try to disrupt or halt operations with ransomware, ransom DoS (denial of service), or some extortion technique. Three, they can trigger an immense amount of public pressure that tempts the victim organization into paying the ransom just to get the unfortunate situation and bad press behind them (which rarely happens in the end). Because so many businesses fail to protect sensitive data adequately, this clear (and unfortunately effective) line of attack will continue to generate revenue for bad actors of all kinds.
Enterprises should take away a very simple lesson: perform the proper due diligence with an audit of your defensive posture, with an eye toward overlooked unprotected sensitive data. Data discovery is a great method for this initial step. Then, where sensitive data exists, consider tokenizing or encrypting it with format-preserving protection, either of which enables protected data to be handled within the organization by business applications without the need for de-protection. Just remember: the alternative may hit your organization like a Mack truck.