00:00:07 Introduction to the topic of cyber risk in supply chains during the coronavirus epidemic.
00:00:36 Richard Wilding’s background as a professor of supply chain strategy and his work in the field of supply chain risk management.
00:03:24 Overview of the challenges in detecting and preventing cyber risks in software development.
00:06:06 The difficulty in determining who is responsible for preventing cyber attacks in supply chains.
00:07:44 The importance of user education in solving security problems and the need for a specific approach to security in design.
00:08:00 Discussion about security relying on human behavior.
00:09:04 Counter-intuitive stance taken by companies such as Google on security.
00:09:57 People being aware of their responsibilities in security.
00:13:06 People bringing their own devices when security is too strict.
00:15:04 GDPR and the importance of only keeping necessary data.
00:16:00 Discussion on the current situation with people working from home due to coronavirus and the risks that have been introduced.
00:17:01 Discussion on the security of personal devices and the need for companies to educate their employees on working from home securely.
00:18:58 Joannes’ advice on protecting a company from staff making bad decisions.
00:19:31 The importance of using “white hats” (legitimate hackers) to improve IT security.
23:44 Final thoughts on the running battle of cyber security and the need for the good guys to keep ahead.
Summary
The interview between Kieran Chandler, Joannes Vermorel, and Richard Wilding centers on the topic of cyber risk in supply chains. Vermorel and Wilding highlight the growing vulnerability of supply chains due to their increased connectivity and emphasize the need for a more comprehensive approach to security. They discuss the trade-offs between convenience and security, the counterintuitive nature of some security measures, and the impact of remote working on cybersecurity. The conversation emphasizes the importance of a multifaceted approach to cybersecurity, including awareness, white-hat hackers, and improved software and hardware solutions. Both Vermorel and Wilding stress the ongoing nature of the battle against cyber threats and the need for individuals and businesses to remain vigilant and adaptive.
Extended Summary
Kieran Chandler, the host of the interview, introduces the two guests, Joannes Vermorel, the founder of Lokad, a supply chain optimization software company, and Richard Wilding, Chair (Full Professor) in Supply Chain Strategy at the Centre for Logistics and Supply Chain Management, Cranfield School of Management UK, Supply Chain Innovator. The discussion topic is the cyber risk in supply chains.
Richard Wilding gives an overview of his background, having accidentally fallen into academia after starting his career in industry. With experience in dealing with disruptions in supply chains since the early 1990s, he has evolved into a professor of supply chain strategy. His goal is knowledge into action, challenging and inspiring supply chain leaders to innovate and create economic, social, or environmental value. Cranfield University’s focus is on enabling supply chain leaders to innovate and create value in their businesses.
Joannes Vermorel addresses the topic of cyber risk and its impact on supply chains. He describes it as counter-intuitive and elusive, with traditional testing methodologies and development practices failing to address security concerns. He also notes that the evolution of enterprise software over the last few decades has increased the surface attack area, making software more exposed to cyber-attacks. Moving to cloud environments can increase security, but they also provide more entry points for potential attackers.
Richard Wilding discusses the difficulty of securing supply chains due to the desire for openness and connectivity between suppliers and customers. This openness creates multiple entry points for cyber-attacks, which can have devastating effects on businesses. Examples of potential disruptions include denial of service attacks on websites, warehouse management system interruptions, and interference with autonomous vehicles. Wilding emphasizes that the severity of cyber-attacks can increase when they target supply chains, as opposed to individual websites or applications.
The interview highlights the growing importance of cyber risk in supply chains and the challenges businesses face in addressing security concerns. Both guests emphasize the need for innovation in this area, as well as the importance of rethinking traditional methods for securing supply chains. However, the discussion remains incomplete, and the conversation is expected to continue in the future.
The conversation highlights the increased vulnerability of supply chains due to their growing connectivity, with a focus on cyberattacks.
Richard emphasizes that supply chain cyberattacks have become more prevalent in recent years, and it is everyone’s responsibility to ensure security. He argues that educating all involved parties about potential risks is essential. Joannes, however, believes that relying solely on user education is insufficient. Instead, he advocates for “correctness by design,” wherein security measures are built into systems to reduce the possibility of human error.
To illustrate his point, Joannes shares the example of the “USB key on the parking lot attack,” where a malware-infected USB key is left in a public place, preying on human curiosity to compromise systems. He contrasts this with the security approaches of companies like Google, which assume that people will make mistakes and design their systems accordingly.
Richard agrees that correctness by design is crucial, but he also insists that human error is still a significant factor in many cybersecurity breaches. He cites examples such as the Target data breach, which resulted from an attack on a supplier through phishing emails. This breach cost the company millions and exemplifies the importance of both awareness and system design in securing supply chains.
Both Joannes and Richard agree that a combination of user education, awareness, and system design are needed to improve supply chain security. Balancing openness for innovation and system lockdown is a challenge that companies must navigate to ensure the safety of their information and assets.
The conversation covers the balance between accessibility and security, the counterintuitive nature of some security measures, and the impact of remote working due to the coronavirus pandemic.
The discussion highlights that security measures can sometimes backfire, leading to unintended consequences. For instance, when companies implement strict security measures on laptops, employees may bring their own devices, inadvertently creating security risks. Similarly, frequent password rotations can lead to employees writing down passwords, making them more vulnerable. Vermorel notes that it’s essential to consider human reactions to security measures to avoid counterproductive outcomes.
Wilding adds that companies should only keep necessary data and follow regulations like GDPR to avoid exposing themselves to unnecessary risks. He highlights the importance of educating employees about password security and suggests that while remote working could increase security in some aspects, it also introduces new risks, such as personal routers and devices.
Vermorel expresses skepticism about education as the primary solution to preventing security breaches, citing emerging threats such as counterfeit USB cables that transmit malware. The conversation emphasizes the need for a more comprehensive approach to supply chain security, considering human behavior and balancing accessibility with protection.
The conversation highlights the challenges faced by businesses and individuals in dealing with increasingly sophisticated cyber threats.
Vermorel shares an example of how a seemingly innocent cable can contain a microcomputer with the potential to compromise systems. He expresses skepticism about the effectiveness of training people to prevent cyber attacks, as the threats are diverse and constantly evolving. Instead, he suggests that employing white-hat hackers to identify vulnerabilities in a company’s systems can be a more effective approach to improving IT security.
Wilding agrees with the importance of employing white-hat hackers, mentioning his own experience in hiring hackers to test security measures on company boards. He also emphasizes the need for regular assessments due to the ever-changing nature of cyber threats. Wilding acknowledges the existence of more sophisticated software that can detect and alert users of suspicious activity, but notes that hardware vulnerabilities, like compromised USB sticks, still pose significant risks.
The interviewees discuss the trade-offs between convenience and security, with Wilding pointing out the importance of establishing guidelines and firewalls to limit the potential for large-scale attacks. He also shares his optimism for the future of cybersecurity, acknowledging that it is a “running battle” with ongoing improvements. Wilding cites the built-in virus protection in modern Windows laptops as an example of such improvements, but also highlights the need for continuous awareness and vigilance.
Both Vermorel and Wilding stress the importance of a multifaceted approach to cybersecurity, including awareness, white-hat hackers, and improved software and hardware solutions. They acknowledge the ongoing nature of the battle against cyber threats and emphasize the need for individuals and businesses to remain vigilant and adaptive.
Full Transcript
Kieran Chandler: Today on LokadTV, we’re delighted to be joined by Professor Richard Wilding, who’s going to discuss with us the topic of cyber risk in supply chains. So, Richard, thanks very much for joining us live from the UK today. Perhaps just to start off, you could tell us a little bit about yourself and a little bit about the work you do at Cranfield.
Richard Wilding: Okay, so my background actually started in industry, and I accidentally fell into academia quite a few years ago. I’ve never managed to escape. But, basically, I’ve had a career really looking at disruptions in supply chains, going back to the early 90s. Of course, the types of things we were experiencing then were very different. In the 2000s, we had events like 9/11, ash clouds, fuel crises, and foot and mouth disease, all of which impacted supply chain risk and resilience. I actually became probably one of the first professors of supply chain risk management in the world, but that title has now evolved, and I’m currently Professor of Supply Chain Strategy at Cranfield. My goal is knowledge into action, so what I love doing is taking this knowledge and creating action in industry. I’m the immediate past chairman of the Chartered Institute of Logistics and Transport in the UK, which covers everything from the movement of goods and people to all their associated supply chains. My focus is on challenging and inspiring supply chain leaders to innovate. I hope our listeners today will be able to take some ideas away and think about how they can innovate to create economic, social, or environmental value. That’s really what Cranfield is all about, taking knowledge to supply chain leaders, enabling them to innovate and create value in the supply chains and businesses they’re working in.
Kieran Chandler: That’s a brilliant introduction. I definitely think the idea of innovating is something we’d agree with here on LokadTV. Joannes, our topic today is all about cyber risk and its impact upon our supply chains. What’s your initial overview?
Joannes Vermorel: Cyber risk is one of those things that is super counter-intuitive in practice. It’s very difficult, for example, to detect security problems with software. Most of the usual testing methodologies do not work, and most of the typical development practices fail at addressing those concerns. It’s an elusive topic. What has increasingly piqued my interest over the last decade is that most of the duration taken by enterprise software in general
Kieran Chandler: Over the last decades, we tend to see an increase in what is technically known as the surface attack area of the software. You have software that is more exposed to attacks, especially when you move toward a cloud environment. Cloud environments are more secure, but you have a lot more entry points for your software. Also, whenever you have a web app, you have entire classes of risks that are very difficult to mitigate or prevent by design in terms of potential security problems.
Joannes Vermorel: Kieran, you mentioned testing methodologies that don’t work so well. Richard, if we look at things from a perspective of a supply chain, what is it about a supply chain that makes it quite so difficult to secure?
Richard Wilding: From a supply chain perspective, we want things to be relatively open. We want to connect with our suppliers and customers, but that actually creates multiple entry points. Often, attacks are occurring on the supply chain. If I want to shut a business down, a denial of service attack on a website is devastating, but if you start thinking about the devastation that could be caused by disrupting a warehouse management system or autonomous vehicles, it could be far more devastating for a business in terms of its capability to carry on and resurrect itself moving forward. We’re finding that some of the actual attacks are occurring through, for example, a supplier portal. People are gaining access to data or being able to supply information to a large customer, but that creates an entry point. If someone could do something as simple as a phishing attack, it can create issues.
There are multiple exposures, and this has been something I’ve been talking about for probably 18 months now because we’ve seen a big rise in cyber attacks on supply chains. One thing that is really interesting is whose job it is to stop this from happening. The problem is that if you go to the supply chain team, they’ll say it’s the IT team’s job. If you go to the IT teams, they’ll say it’s the supply chain’s job. It’s everybody’s job, so we’ve got to make sure there’s awareness across everybody to stop these types of things. Educating the business and making them aware of these challenges is critical.
Kieran Chandler: Richard mentioned that supply chains are definitely becoming more connected. If you look at any multinational, they’re spreading their systems all over the world nowadays. Would you say that increased connectivity is a real weakness?
Joannes Vermorel: Yes, that’s exactly what I meant when I said increased surface attack area. The more things are exposed to any third parties, the more vulnerable they are. On the internet, you don’t connect to a person, so if you have a web portal, you have a piece of software that interacts over port 80 through HTTP. It can be on the other side; it’s always a machine. The machine can be operated by a human, and it can be operated by a human that happens to be the employee that you believe this person is.
Kieran Chandler: So indeed, thanks, but where would you slightly digress and where do you think a divergence would occur in terms of security, maybe with interpretation?
Joannes Vermorel: I believe that overall, education of users in general is not enough to solve those problems of security. That’s why it’s very deeply concentrated. It has to be a kind of pitfall of security, and that’s where you really need to have a specific approach of correctness by design. You cannot expect people not to click on attachments or whatever. If you expect that people will stick to the rule for something where they are just one click away from disaster, they will do it. So, for example, one of the simple attacks is called the USB key on the parking lot attack. You just drop a USB key with malware on the parking lot, and you write “Bitcoin stash” on top of it. You can be sure that there will be someone who will actually try the key, connecting it to the computer. If you rely on the fact that people are supposed to be educated, I mean, they are human. Even if they are pretty smart, they can have a lack of sleep, and sometimes they have a lapse of judgment. It just happens. So if you rely on people to be smart, alert, and educated, it kind of doesn’t work. And it’s very funny because when you see how security is done in companies, like Google, they take the opposite stance. A stance that has been more applied in other areas like the nuclear industry, where you assume on the contrary that people are going to be dumb. When you think they are going to do something super dumb, you think, can they do even something that will be even worse than that? But there are plenty of other ideas that are similar, which are pretty much by design.
Kieran Chandler: Okay, Joannes mentioned that idea of correctness by design there, Richard. What are the methods that we can introduce to ensure that our systems are very much safe?
Richard Wilding: I think it is an interesting thing, and I think we’ve got to have the correctness by design. There’s no doubt about that. But if you’re looking at the old 80-20 rule of the causes of a lot of the issues, sadly, it is people. And it is interesting to note that Google Australia got hacked by some hacktivists just to show they could do it. And the way that they accessed that was actually through the building control system for Google’s nice new building in Australia. It got hacked. If you look at some of the really big disruptions to businesses, like Target in the United States, which is still rumbling on with all sorts of class actions and everything else, that was quite interesting. Forty million payment card credentials and seventy million customer records were just harvested, and the way that occurred was through the heating and ventilation air control system. A supplier was targeted with phishing emails. They then were able to get into that part of the business, and they just went around harvesting stuff, found out the point of sale network, and then just sat there taking the information.
Kieran Chandler: This is really important because fuel, so far, has cost them, believe it or not, 162 million. That is one particular disruption which has occurred. But I think the key thing here is being able to actually make people aware of these things, aware of their responsibilities. But then you’ve got the design side of things as well. The problem is you need some level of openness.
Richard Wilding: Right, so if I just think about my laptop, the university can lock it down so I can’t do anything with it, and it’s not much fun. We had this a few years ago, where it was like, “This is corporate. Nobody can go on LinkedIn, nobody can go on YouTube, nobody can go on this or that.” But the problem is, going back to innovation, innovation is taking ideas which are new to you and creating value. If all of a sudden you lock down your systems because these could potentially enable people to access things they shouldn’t or it weakens our infrastructure and everything else, that can actually have another effect. So, with the big “let’s have a social media blackout within our company,” what that’s actually resulted in is an innovation blackout, as well, you could argue. Because now a lot of the innovation and the good ideas are being shared effectively through these channels. So, you’ve got to be particularly careful about this, and I think it’s one of these things of getting a balance between accessibility and also security but making sure, by design, if things do go wrong, you detect it quickly.
Kieran Chandler: Okay, did you want to jump in there, Joannes?
Joannes Vermorel: Yes, I mean, just to give you an example, when I was saying it’s counterintuitive, I think the whole idea of locking down is a perfect example of that. If you have super tight security for the laptops where the company can only install the software that has been approved and you can only visit the websites that have been approved, what happens in practice? People bring their own devices, they buy their own laptops. So, while in theory you were thinking that you were creating security, you’re not, just because people are going to react and do something else on the side. And the same thing for passwords, for example. There have been studies, even published by the NSA in the US, that showed that password rotations are harmful. If you rotate passwords frequently, what people do is they put post-it notes on their desk with the password of the week. So, you end up with entire offices where the password of everybody is on everybody’s front desk on a post-it.
That’s why I say it’s very counterintuitive, and it’s not just a balance. Indeed, frequently, you can actually push people to do things that are even less secure. And again, I think the nuclear industry has a lot of good examples of that. Where if you burden people with too much protective equipment, at some point during the summer, it’s just too hot, so they get rid of everything just because they can’t even bear the heat of all the stuff they have to carry, and thus they end up having no protective equipment at all, which is very dumb. So that’s why security is so complicated. It’s because you need to think of how humans will react, and it’s like a completely recursive feedback loop.
Kieran Chandler: You think about it, there are some data that you should not collect for any duration of time, maybe one week and get rid of it.
Richard Wilding: I think the interesting thing about Target, of course, was that they weren’t storing the data. It was just going through their systems. If you’re doing a credit card transaction, it has to go through the internet to the bank. If you can sit there tapping that feed, which is effectively what was going on, then you can do these types of things. But I think it is really important, if you think about GDPR and data protection, to only keep what is really needed. What’s the point of having all this stash of data? Some companies now, with artificial intelligence, believe that they should keep all this data because they might be able to do something useful with it in the future. Well, that’s a bit like me keeping every single email I’ve ever written in my life. Will I ever do anything useful with it in the future? We have to think through that.
I love this little quote when I’m talking to people about passwords: “Passwords are like underwear. You don’t want to let people see it, change it often, and you should not share it with strangers.” But at the same time, you’ve got to make sure that you’re able to remember these things as well, which is why you need other approaches.
Kieran Chandler: Richard, let’s talk a little bit about the current situation with more and more people working from home because of coronavirus. Presumably, this has introduced a lot more risk. What can a company, maybe somebody watching this, do in order to protect themselves?
Richard Wilding: Well, I would recommend that when you’re working at home, to some degree, it could be more secure because if there are passwords left all over my desk, which they’re not, there are fewer people who are going to be moving through. So, there are some elements that you could argue make remote working slightly more secure. But at the same time, we’ve now got everybody’s own devices being used, which is a point that was made earlier, and we need to be able to deal with that as well. It’s also important to recognize that we’re using our own personal routers, internet connections, Wi-Fi networks, and everything else. So, how secure is that? I think companies need to start educating their employees about working from home and utilizing resources like Cyber Essentials to help guide them in terms of what they’re doing.
Kieran Chandler: Joannes, what’s your advice for someone watching this? From your experience, how do you protect a company from staff, such as me, maybe making bad decisions?
Joannes Vermorel: I really don’t believe in the education route, or maybe in a very specific way. Just to give you an idea of the emerging threats that we see nowadays, there are tons of counterfeits on Amazon, and even for things…
Kieran Chandler: So, Richard, let’s start with you. We’re hearing a lot about the move towards remote work, especially in the context of the pandemic. What are some of the biggest concerns you have around IT security in the remote work environment?
Richard Wilding: Well, I think there’s a whole range of concerns around IT security when it comes to remote work. One thing that people might not necessarily think about is just how basic some of these concerns can be. For example, something as basic as USB cables, which we all use every day, can actually transmit malware to your computer. With the progress of computing, it’s now possible to have a microcomputer inside a cable. And that’s just one example of the sort of thing that can happen with adapters and other similar devices. So, the bottom line is that you can have something as powerful as a computer from 20 years ago inside a cable that looks just like a normal cable. And it can even have a brand that you trust, but what you’re buying might actually be a counterfeit. And Amazon has had some issues with this.
Joannes Vermorel: If I may add to that, Kieran, I’m very skeptical that training alone will make any difference when it comes to IT security. The problems are so rampant and diverse that I don’t think you can rely on people to always behave in a certain way. But I do think that remote work has one positive advantage that people might not think of, which is that it makes remote work more acceptable. And in my experience, the most positive way to improve IT security is actually by using white hats - that is, hackers who offer their services remotely to find holes in your company’s security. It’s strange, but security is such a weird area that even when you expect people to behave a certain way, it’s very possible that they won’t. For example, someone could pretend to be tech support and call you up to get access to your computer.
Richard Wilding: Yes, Joannes, I completely agree with you. In fact, in my role on boards of directors, we have employed such people - usually former hackers who have done time in prison and now work with organizations to find vulnerabilities in their security. It’s important to do this regularly because the methods of attack are constantly changing. And it’s also important for people to understand what to do when an attack does happen. There is now more sophisticated software that can pick up on changes to files or bits of code being rewritten, but we also need to think about the hardware approach. For example, USB sticks are not allowed in some environments, such as the military campus at Cranfield where I work.
Kieran Chandler: That’s really interesting. So, Richard, can you tell us a bit more about the software approaches that are now being used to detect cyber attacks?
Richard Wilding: Yes, there are now more sophisticated software approaches that can detect when files are being changed or bits of code are being rewritten. They can create alerts on these changes and help to prevent attacks before they happen. But, as I said before, we also need to think about the hardware approach. We need to have guidelines in place around basic things like USB sticks and cables, and we need to regularly employ white hats to find vulnerabilities in our security.
Kieran Chandler: So, Joannes, Richard, we’ve talked a lot about the vulnerabilities and the risks associated with cybersecurity, but what are some of the ways that we can protect ourselves?
Joannes Vermorel: Well, I think the first thing to realize is that cybersecurity is not an absolute. It’s a trade-off between security and convenience. For example, if you have a very secure system, it might be very inconvenient to use, and if it’s very convenient, it might not be very secure. So, we need to find a balance between those two things.
Richard Wilding: Yes, and I think another important point is that we need to have some kind of firewall to limit what’s going on within our systems. We don’t want a mega-attack, so we need to be able to detect and stop malware from being deployed.
Kieran Chandler: That’s a good point. So, let’s focus on the positives for a moment. Cybersecurity has come a long way over the past few decades. Do you think it will continue to improve, and will we be safer than ever one day?
Richard Wilding: I think it’s a running battle, to be honest. Cybersecurity is a continual game that’s always moving on. However, I do think that things are improving. For example, if you buy a Windows laptop today, it comes with Windows 10, which has a half-decent virus protection that does a bit of the job for free. So, we’re starting to see that cybersecurity is becoming part of the package.
Joannes Vermorel: Yes, but we also need to create awareness across everybody. People need to know that even a USB stick or a cable can create havoc. That’s the nature of what’s going on. But, if people are aware of this, they might think twice before doing some of these things.
Kieran Chandler: So, it’s a combination of creating awareness and having systems in place that can detect and stop malware from being deployed. Well, we’re going to have to wrap it up there, but thanks both for your time. That’s everything for this week. Thanks very much for tuning in, and we’ll see you again in the next episode. Thanks for watching.
