Cyberattacks are nothing new for global supply chains but the threat level has increased due to the development of attacks using artificial intelligence (AI). The scale of impact has increased and businesses must adapt quickly, says Adrian Purcell, regional director for Ireland at Palo Alto Networks.
“AI allows cybercriminals to automate attacks, meaning they can target many victims simultaneously,” says Purcell. “It also allows them to develop malware that can change its code to evade traditional forms of detection. AI is also being used to enhance social-engineering attacks. Deepfakes are a good example of this, using video and audio to trick people into revealing sensitive information.”
Much of the issue comes down to how interconnected the world has become. With so many potential points of attack, the need for defence has never been greater.
“Modern supply chains are complex. The interconnectivity increases the number of points of vulnerability. Issues in one area can easily migrate. Smaller suppliers and third-party vendors might not have robust security measures in place,” says Purcell.
Why an SSE Airtricity energy audit was a game changer for Aran Woollen Mills on its net-zero journey
Getting solid legal advice early in your company’s journey is invaluable
Water pollution has no one cause but many small steps and working together can bring great change
Empowering women in pharma: MSD Ireland’s commitment to supporting diverse leadership
“There’s a struggle with gaining complete visibility over the whole supply chain. That makes it a challenge to enforce consistent security policies.”
The traditional stereotype of cybercriminals needs to be cast aside, according to Mark Kelly, founder of AI Ireland, a not for profit that aims to increase public awareness of artificial intelligence across the island. He says the approach of the modern cybercriminal is professional and disciplined.
“These people take it as a nine-to-five, legitimate job. Forget about hoodies and dark rooms; it’s a mainstream job in the eyes of the people doing it,” says Kelly.
“They are trying to exploit vulnerabilities in international supply chains. Think about how supply chains operate – they are complex but inconsistent. That creates opportunities for breaches. AI can make millions of attempts at once to find these.”
With attacks operating at such a scale, Purcell says businesses need to take a composed approach to security. This includes using AI tools to combat AI-based attacks.
“Adopt a comprehensive cybersecurity framework, like those outlined in NIS2 [the new EU directive]. Regularly assess the security posture of all entities within the supply chain, so you can identify vulnerabilities and employ strict controls and security requirements,” he says.
“AI can analyse patterns of data to identify deviations that might indicate a security threat. AI-driven predictive analytics can also forecast potential threat vectors and vulnerabilities. You can also automate the response, which shortens the time taken to respond to attacks.”
Brian Honan, chief executive of BH Consulting, says businesses must take stock of what they are currently doing to protect their supply chains.
“Look at the security measures you have in place already and determine if they are robust enough to deal with a threat that has a much more effective arsenal than you previously faced,” he says. “Look at where you can use AI in your own defences. It can be very effective in a defensive mode at identifying attacks. Similarly, good vendor management helps secure the supply chain.”
Staff education is critical to successfully preventing AI-based attacks on the supply chain, according to Honan.
“The best defence you can have is a highly security-aware staff. Make them able to identify fake phone calls, video calls or emails. Make sure they know what verification steps they should take before acting on anything,” he says.
“It could be as simple as having a code word for you to know that the person you are dealing with is who they say they are.”
Kelly says that this education aspect is crucial, as it is often the case that suppliers are unaware of potential vulnerabilities.
“A lot of the time the vendors are smaller and don’t invest as much in security because they are just trying to get by. They also might not have the expertise to recognise blind spots. There’s a lack of education passed down to them in terms of what their requirements are,” he says.
“Investing in employee training is important. You’ve got to sit down with staff, educate them on cybersecurity best practices and make sure they feel comfortable recognising what an AI-driven social-engineering attack would look like.”