The overriding message of John Stengel’s Expo 2022 session “Hacking the Supply Chain” was “Trust no one and verify everything.” Stengel, CEO and president of JSCM Group, which manages cybersecurity for companies and governmental organizations, has spent 20 years preventing cyberattacks and recovering data after attacks happen.

Stengel says that in most cases, you don’t even know your business is being hacked. “Most attacks happen over a week to 18 months,” he says. By the time your computers are locked and hackers are demanding ransom, the damage is done.

Attackers have different goals depending on the business. They may be political or environmental hackers, nation-state attackers using your computer systems to attack others, or extortionists demanding ransom payments for the return of your information and computer systems.

Stengel says the ransom demand can be $500,000 to $5 million dollars, and he does not recommend paying it. “Fix the problem rather than paying ransom,” says Stengel. “If you don’t fix the initial problem, which is the way they got into your system in the first place, they will return and demand more money.”

Stengel points out that the true vulnerability for most companies is the cybersecurity of their vendors and suppliers. “Everyone is so interconnected now that companies may not know who or where their vendors are located or are doing business.” He says that outside IT vendors are especially vulnerable. “You can’t be too dependent on another business because what are you going to do when they get hacked and their services and systems are out of commission?”

Stengel says companies need to have a plan in place for when this happens and to understand that you can’t think only of your own business security, but the security of every company you do business with. He says you must require the following items from your own company and each of your suppliers and vendors:

• Use the “Principle of least Privilege.” Don’t give all your information away to any one company. Have zero trust of exclusive deals.
• Get third-party testing of your IT security, even if you have an in-house IT team.
• Get real liability insurance, not a rider.
• Ensure ISO certification of security systems.
• Use redundant vendors. Work with more than one company so you can avoid chaos if a particular vendor or supplier is a victim of a cyberattack.