fbpx

Image by Mika Baumeister on unsplash.com

California’s role in the global supply chain, with its broad eastern exposure, is unrivaled but also at risk to cybersecurity attacks. Companies in the state need to not only protect themselves from devastating attacks, they also need to ensure they know their place in that sprawling supply chain and how important they are to the bigger security picture.  

Many small- and medium-sized businesses (SMBs) don’t think they will be targeted, or have a difficult time visualizing their critical importance in the supply chain. But also just last month, federal officials warned of expanded hacking campaigns against SMBs as a conduit to their bigger-ticket clients further down the supply chain. The reputational liability to these attacks is already huge and growing rapidly for SMBs. 

The federal government is increasingly making tools and resources available to help companies with an important place in the supply chain, however small. Just last week, the Department of Homeland Security’s Critical Infrastructure Security Agency launched a new set of tools to help businesses monitor certain technical functions for risk: https://us-cert.cisa.gov/resources/smb

This is a particularly difficult time, as SMBs have been squeezed by a very different supply chain risk: shipping delays and skyrocketing costs. Many SMBs have fewer resources than ever to deal with other threats. The reality, though, is that scrutiny of all companies on cybersecurity is only going to increase. In particular, those companies that are part of the Information and Communications Technology supply chain are increasingly under the microscope from the feds because of their interconnected importance to all critical functions in the U.S. Thankfully, there are a number of free and low-cost ways you can start focusing on this important issue. 

A quick start for better managing supply chain risk:

  1. Know thyself: As an SMB-owner, nobody knows your companies better than you. If any of them fall into one of DHS’s 17 critical infrastructure categories, you ARE supporting a critical function. You may consider separating out clients who fall into these categories and ensuring you are paying closer attention to your security protocols with them. 
  2.  
  3. Focus on resiliency: Do you have adequate back-ups to allow your continued operation even in the event of an outage? Can you quickly recover from a ransomware incident? Have you trained your employees to avoid phishing emails and ignore fraudulent attempts to change wire information? Training doesn’t have to be formal, costly or time consuming — it can be as simple as a company-wide email, telling your employees about a specific threat and asking them to take a specific action to avoid that threat, ie: “Scammers are constantly trying to get our private employee information. Never give out W2 information over the phone without a confirmation from the head of HR.”  
  4.  
  5. Protect data stored on end-of-life devices: Not enough businesses pay attention to the data-storing technologies they use and what happens to that tech at the end of its life. For environmental, regulatory and sustainability purposes, these devices must be responsibly recycled. When that happens, part of the process should always include complete, physical data destruction. Guaranteed data destruction is key. Some companies believe their data is being wiped when they drop devices off for recycling and that is not always the case. Also, unethical and illegal shipping of e-waste abroad has become an additional layer to the hardware security issue because it leads to the wholesale liquidation of our national security and the privacy of the corporations and individuals of the United States. Recycling these devices is important, but it must be done the right way. Make sure your e-waste recycler is NAID certified.  

Kate Fazzini is CEO of Flore Albo LLC, an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.

John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. The first five readers who send an e-mail to this address link will receive a free signed copy of John’s new book, The Insecurity of Everything.


e-Newsletter Signup

Our Weekly Poll

Do you think Valley Children's Hospital will lose financial support due to CEO pay revelations?
119 votes

Central Valley Biz Blogs

. . .