Intro/Outro (00:03):
Welcome to supply chain. Now the voice of global supply chain supply chain now focuses on the best in the business for our worldwide audience, the people, the technologies, the best practices, and today’s critical issues. The challenges and opportunities stay tuned to hear from those making global business happen right here on supply chain now.
Scott Luton (00:32):
Hey, good morning, everybody. Scott Luton with you here on supply chain. Now welcome to today’s show today. We’re speaking with the business leader on a critical topic, cyber security, and we’ve all seen cyber threats continue to grow across global supply chain. Stay tuned for a few things that you should know. You must know. You gotta know. So no further ado on walking in our guests here today. Allison Krache Giddens president of win tech Inc. And award-winning manufacturing company that works in a variety of industries, including aerospace, medical construction, and a lot more Allison, how you doing?
Allison Krache Giddens (01:05):
Hey, I’m good. How are you
Scott Luton (01:07):
Doing wonderful. Uh, doing wonderful. And it’s been really cool to see you and, and the win tech Inc team continue to grow, tackle big projects. And I really appreciate you coming in here today and sharing some of your expertise.
Allison Krache Giddens (01:18):
Definitely. Thanks for having me.
Scott Luton (01:20):
You bet. Now, before we get into cyber security, you, you know me, I like to kind of start with a factoid and kind of a fun warm up question. So today we got a good one. Uh, Alison, as I was sharing, pre-show this little, um, uh, anniversary, I’ll call it tech tech anniversary created a firestorm of debate on a team call this morning. Uh, so I’m gonna share it first and then, then we’ll get you a way in. So we’re recording this episode today on September 23rd right now on September 23rd, 2008, the world’s first Android based smartphone was released by Google and T-Mobile, it was called the G one or the HTC dream, depending on where you lived in the world. So Alison, are you a devout apple or Android user?
Allison Krache Giddens (02:08):
I am Android all day long. I oh yeah. What are you
Scott Luton (02:14):
So well, so I learned, as I mentioned earlier in that team call, I heard I learned things. I felt like I was just being born because how much I learned in that 20 minute discussion? Um, I am apple on my phone, but I am Android or, uh, P uh, PC everywhere else. That make sense.
Allison Krache Giddens (02:32):
Okay. See, but that’s confusing because I tried having an iPhone at one point and I hung up on every caller on accident. <laugh> because it’s the opposite, right? It’s the, the green and the red buttons for answering calls or declining calls are opposite. So I had started with an Android style phone, I think. Yep. And then just for the heck of it, I thought, all right, well, everybody keeps talking about iPhone, so I’ll go get an iPhone. I got an iPhone. Hated it, hated it really. Oh my God. I, I kept the leading apps on accident. I kept hanging up on people. <laugh> um, yeah,
Scott Luton (03:06):
So it just didn’t work
Allison Krache Giddens (03:07):
Android every day, all day.
Scott Luton (03:09):
Well, you know, so I’ve never stopped to think about, so one of the 17 pages of notes this morning is all those, some of those folks that are like really, uh, completely dedicated on the apple side, you know, they’ve got iPhones and then they use, um, you know, apple laptops and whatnot, and they were just singing the praises of how everything’s synced and they don’t have to, you know, use different apps and stuff that just, maybe I’m slow, that’s Google,
Allison Krache Giddens (03:35):
But that’s Google like Google do that’s that’s my life is my Google calendar. My Google email, my Google photos. Everything’s integrated there.
Scott Luton (03:44):
All right, well, mate, I’m just behind the time. So we’ll have to, uh, we’ll exchange, uh, some and compare notes more about all Google or all apple and the benefits there. But, uh, but moving right along to the greater challenge of the day and by the way, thank you for, uh, weighing in on, on that debate, but the big topic at hand cyber security, right? And as you and I both know is not going away anytime soon. In fact, the challenges are only getting more complex. And I would argue that global supply chains have never witnessed the level of cyber attacks that they’ve been experiencing in recent months. So before we get you away in with your expertise, I’m, unless you’re just a couple of fact toys on the front end. So speaking of that level of activity of bad actors out there, trying to do bad things, according to checkpoint research, second quarter 2022 saw an all time peak where global sub global cyber attacks increased by 32% compared to the same timeframe in 2021.
Scott Luton (04:41):
Now, what does it look like? Well, the European union agency for cyber security says that malware is used in 62% of supply chain, cyber attacks, 58% of supply chain incidents, target customer data. And we’ve seen some big names get compromised there, right? Uh, and then finally in 66% of the tax on global supply chain suppliers either didn’t know, or they failed to report how they were compromised and that doesn’t help us, uh, in many ways and help, you know, end to end supply chain. So Allison with that as a backdrop and, and so much more, what are from your view, three things that business leaders, especially those in global supply chain must know about cyber security.
Allison Krache Giddens (05:24):
Well, yeah, those are some pretty staggering statistics numbers there. Um, I believe that the three that really stick out to me, uh, one you touched on right away and that is business leaders need to understand that it’s not a matter of if you’ll ever get compromised, it’s the matter of when and will you be resilient? How will you bounce back? It’s all in, you know, risk management and, and planning for the worst case scenario. That is the absolute number, one thing, business leaders, especially those that cybersecurity is not a subject that they’re an expert in something that they’ve got to understand.
Scott Luton (06:02):
And, and so wishful thinking a, a failure to, uh, be rooted in reality, you know, all the, the hope is not a strategy, all that stuff. And, and to, I like your last point there, um, you know, if business leaders aren’t a cyber security or, or maybe not even a technologist, that’s okay. Find an expert who can help them, um, get out in front as much as they can. Right.
Allison Krache Giddens (06:24):
That’s bingo. And that’s number two. That
Scott Luton (06:27):
Would be, oh, okay. Is perfect.
Allison Krache Giddens (06:28):
Sorry. <laugh> so, no, that’s good. Nice segue. It’s it’s not that business leaders, especially people in small business. There’s, there’s the notion that, well, we have to know everything, right. We have to be the good HR person. We have to know accounting and finance. And, um, oh, by the way, if you’re in manufacturing, you also have to know the shop floor that there’s all these things that we all have to know and become really, really good at. You don’t have to be quote good at cybersecurity. You need to find somebody you trust in that space and whether that’s inside or outside of your company, that’s a whole nother topic for another podcast for another day. Um, but that is definitely number two is you, you need to know what you don’t know, and you need to find someone you trust to help you do it.
Scott Luton (07:12):
Yeah. You know, trust has been such a, an ongoing theme in a bunch of recent conversations that we’ve been having. And you’re absolutely right. In fact, one of the stats I didn’t grab from some of the pre-show reading I was doing was how many of these attacks eat at and ode at the trust between customers and suppliers and, you know, amongst the supply chain. Um, and you know, if, if you believe, you know, because, um, you know, once you’re, let’s say, I’ll tell you what, let make this make sense. So, you know, we were the victim of a cyber attack years ago, right. And, and had a big loss. Um, and what took place at a high level is folks had penetrated, uh, a team member’s email, and then they were able to pose as, uh, as customers and as, as us collecting on payments. Right. So talk about if you’re, if you’re trusting the conversations and you’re, you, you don’t know who you’re, you’re dealing with and then payments were diverted Allison. So Allison, a trust factor, you know, folks, bad actors are preying on the trust factor with many of these cyber attacks. I mean, we’re living proof. And going back to your first point, you’re gonna be a victim. You’re gonna be a target rather, you know, and it’s up to you to mitigate that risk, right?
Allison Krache Giddens (08:37):
Yep. Bingo. It’s, it’s up to you to mitigate that risk. It’s up to you to plan accordingly. And if that means making sure you’ve got, you know, a solid backup that is also not compromised it’s, um, finding somebody you try it’s it’s fi having that plan is, is ultimately, um, something that has those top two things would fall under, right. A risk management plan or an incident response plan. It’s okay. If this happens, then what do we do next? Um, and you have to have somebody you trust to help you come, come up with that. But fact of the matter is, yes, you’ve gotta have it
Scott Luton (09:11):
And kind of no different those contingency plans. You’re talking about no different than if you were to have a chemical leak at your facility, or if you were to have, you know, the pandemic of course got many organizations and leaders rethinking scenario and contingency planning, so no different here. Right?
Allison Krache Giddens (09:28):
Exactly. Yep. Yep. And that third thing I think I would tell business leaders, um, anyone dealing in supply chain, really any, any business owner leader, you, you name it. Uh, there are two things that you can do to immediately make a significant impact in your cybersecurity posture right now. And that is use MFA that’s multifactor authentication that is having a, one of those, uh, whether it’s Google authenticator, whether it’s duo a lot of these different apps that will prompt you for a code, um, in order to access an application or an email, all of these things is just another layer of security. I believe Microsoft estimated that, uh, well over 95% of incidents could have been prevented by MFA. Really that’s mind blowing, that’s mind blowing. Like why would you not do MFA? So that third piece, uh, so I guess three a is use MFA. And three B is never underestimate the power of the user. And that’s in good ways and bad. Your people are your first line of defense. Your people are also your weakest link. So if you can make immediate impacts in training, and there are plenty of resources out there to make that happen. Um, if you can do that then between that and MFA, you are gonna be light years ahead of your peers.
Scott Luton (10:57):
Well said, well said, uh, what’s the old Benjamin Franklin, uh, Franklin Franklin, Franklin, um, saying about an ounce of prevention is worth a pound of cure.
Allison Krache Giddens (11:08):
Something like that. You
Scott Luton (11:10):
<laugh> yep. That applies here, right?
Allison Krache Giddens (11:12):
Oh, absolutely. There’s it’s pennies on the dollar for a lot of these, um, these websites that’ll, uh, I’m off top of my head. I’m thinking no before, and Proofpoint okay. And these different they’re different training websites and things you can put together to help employees understand and recognize fishing attempts and safe internet browsing and things like that. If anything’s gonna happen, it’s gonna be because someone clicked on something or someone basically invited the bad guys in, right. Knowing it or not, you have your insider threats, but generally it’s your people clicking a link. Yeah. And, and by doing that, then, uh, like I said, MFA and, and helping the user to understand and recognize and identify the bad guys that’s key
Scott Luton (11:58):
Well said. All right. So I know you’re gonna share a few resources. You just kind of did a moment ago, but, uh, before you, you share any, any others, I just wanna bring up email, right? Because, uh, the few times I mentioned, uh, a minute ago, our worst, uh, attack where it did, um, you know, there was loss and then there’s been a couple close calls to your point exactly where, you know, these days email ghosting it, it can look unless you’re really got the magnifying glass out. It can look just like it’s coming from the person that they are saying they are. And, and sometimes it’ll be a quick request. And then, you know, you’re in the middle of your day. So you work on what they need and send it to ’em and you, then you blank. And then you’re, you’re not sending it to no John or Jane or whomever. You’re sending it to a bad actor that then to your point, now that we’ve invited him in and giving them, giving them little, little opening, they take it and they do bad things.
Allison Krache Giddens (12:50):
You got it. And so it’s, it is, they play off of the bad guys play off of, of psychology and, and just human factors. And yes, we, this, the, the Uber attack that we’ve all heard about of recent, um, in the news cycles. Yep. They were compromised. And, um, I, I have not been keeping up with it as much as I should, but in the early days of the announcement, from what I understand it happened because there was, um, basically somebody kept hitting that MFA request button and the person on the other end, who might have been a better gatekeeper mm-hmm <affirmative>, um, ended up just getting a little frustrated with the requests and just said, okay, fine. Yeah, yeah, yeah. Add device <laugh> and hit the button. So, you know, we, whether or not, and gosh, God bless the people at Uber for having to deal with all of the fallout, but <laugh>, but that’s, you know, again, your people are your first line of defense and don’t, don’t let you know, don’t let your policies, or don’t, don’t let urgency get in the way of, of the well meaning policies
Scott Luton (13:53):
Well said. Uh, one last thing, one last thing, uh, cuz it, what somewhat you’ve been sharing here has triggered one more experience. Um, one of the, one of the incidents I’ll call it, uh, one of the times that we were, we had a bad actor trying to penetrate us. They had posed as one, one of the team, one of our team members a few years back, and this was the sweetest team member, low key. Uh, you could never make him angry about anything. Oh, no. Right. Well, get this in the email, whoever was, was portraying. This individual was demanding and like it was getting stern and, and demanding, you know, I need this now, you know, and it really, it caused me and a few others to stop and say, Hey man. And this was like, during the middle of the day, it’s not like <laugh>, it was over beers, you know? Right. The, the individual was right. You know, typing us late at night or something. But I think you gotta look for that as leaders, if something doesn’t sound right. Yes. Look right. Even the smallest little thing, call time out and do little homework and just make sure.
Allison Krache Giddens (14:55):
So, and you gotta communicate that to your people too. So we have, we have a thing here at win tech where we tell people you will never, ever, ever quote, get in trouble for deleting an email that looks weird. I have regularly, I have people call me into their office. Do you have a minute look over my shoulder? Is this you? Or is this so and so, or does this look legit? Right. And it’s like, when in doubt, delete it. Because if somebody legit is going to send one of my employees, something that looks sketchy yeah. Then shame on them. <laugh> try again.
Scott Luton (15:26):
And, and to your point, you know, if something that’s, that’s actual, real urgent and, and business related, they don’t not get an answer. They’re probably gonna call you. And they’re definitely gonna email you again. Uh, so anyway, love your practical. Been there, done net tips, uh, appreciate what you’re doing in industry, uh, to elevate the conversations for cyber security and beyond, um, you know, here in the states, of course, uh, the national defense supply chain, uh, organization, we’re trying to get a lot smarter about that and love the leadership you’re doing there. Um, okay. Resources, what other resources would you throw out there for any of our listeners?
Allison Krache Giddens (16:03):
I really say the first place to start issa.gov. And that is CIS a.gov. It’s a, it’s a website, it’s a very comprehensive website. It’s the government doing the hard work it’s there doing? And, uh, I know kind of the joke from a business owner’s perspective would be, oh, that’s a first. Um, but the government is doing the legwork on the information sharing. When you look at what they call, um, the security advisories. And I, I just kind of got this summary not too long ago from a friend of mine, uh, Ryan Bonner,
Scott Luton (16:35):
Did it really come from Ryan that really come from
Allison Krache Giddens (16:37):
Ryan? It did this, this really came from yes. This particular, uh, really came from Ryan. Uh he’s with Def cert and his, um, his focus is helping small businesses in the defense industry base kind of, you know, protect themselves, get up to speed, get prepared for industry frameworks and standard certifications. And, um, he pointed out, he said, when you look at the, the security advisories from us cert, which is on csa.gov, these are all the advisories, all that. This is the government monitoring stuff in the country, out of the country everywhere. And you can notice they’re the same patterns. It’s things reminding it. It’s basically the bad guys that the, the fix in what they’re trying to, to do or attack the fix is having offline data backups. It’s making sure that, you know, who has access into your network, it’s using MFA, it’s monitoring your systems, knowing having someone you trust, be able to watch the traffic within your network. Yep. It’s making sure that you’re patching, you know, when Microsoft sends out an urgent security pack package, you’re not or patch, you’re not sitting around for three weeks before you install it. It’s all of, of these different things. But there’s so many patterns in those security advisors that if this gets overwhelming, which I guarantee you, it can, it it’s AP to do. That’s where to start, is look to see where those patterns are and how they are applicable to your systems.
Scott Luton (18:04):
Excellent. And you know, those patches that you mentioned, uh, I know here in, in recent months, um, that those patches have been urgently created and distributed because of specific attacks, uh, were prevalent and were growing, cuz they were taking advantage of, of newly exposed weaknesses in the technology. So Hey, take those patches and those updates very seriously to your point, Alison and in a timely manner. Right?
Allison Krache Giddens (18:30):
You got it. Yep. Those vulnerabilities once they’re, once they’re acknowledged and discovered can be a scary place for anybody working in cyber. So again, just comes back to find somebody you trust who can help you when these kind of things come up.
Scott Luton (18:43):
That’s right. Okay. Uh, other resources I would include you on there. Right. And some of the groups you’re a part of, um,
Allison Krache Giddens (18:51):
Well, I don’t know about that know just enough to be dangerous here. I know I just, I speak to kind of my experience in the small business world and kind of where we have started. Um, you know, you only have so many, you only have so many resources to devote to these kind of things, especially when cyber is not your either subject matter expertise or what you’re selling. Right, right, right. But you still have to implement this in your, in your business. But yeah, another resource I’d say is tap into your industry association, whether that’s E even if the industry association is not a cyber related one, right. Chances are, they probably have recommendations or they can connect you to somebody who does. So, um, that’s, that’s another really good, good option.
Scott Luton (19:31):
Excellent point, excellent point. Um, well, you know, one other thing that I know we have in common in terms of what we get a kick out of perhaps, uh, and it’s not necessarily hacking and, and related to cybersecurity, but it’s along those lines of bad actors doing, doing bad things, you know, there’s, there’s a whole racket out there. In fact, I would call it a, a burgeoning global cottage industry of folks that are making calls, uh, imitating different folks and getting their victims that go to stores and buy gift cards. Right. You and I both have seen this. Yep. Well,
Allison Krache Giddens (20:05):
Social
Scott Luton (20:05):
Engineering, social engineering. Thank you. Um, you always bring a lot more intelligence, uh, to the table than I do. Thank you for Alison, for making you feel
Allison Krache Giddens (20:13):
Smart. It’s different. We’re different. And that’s good.
Scott Luton (20:15):
So, um, but there’s, there’s a, there’s also at the same time that all these folks have been taking advantage of which isn’t funny, but what is funny is across YouTube, there are folks that I’ve really specialized in, in, um, becoming folks are, are messing with these bad actors. Right. And trying to use their time so that they, um, so they’re not out there harming others. And I gotta tell you, Alison, I wish I brought a list of some of my favorite YouTube channels along these lines. You know, if you Google, Google, probably hacker prank or something like that, and you’ll see these people, they’re great. Oh, there you
Allison Krache Giddens (20:54):
Go. Those are, those are so good. Yes. Because for every minute that you’re distracting them on that, then they’re not, they’re not taking advantage of somebody who is, uh, not paying attention.
Scott Luton (21:04):
That’s right. And unfortunately, there’s lots of folks that get outta there. They get, they get this, this bad, uh, fake call. They get outta their, their recliner go to, you know, Walmart and buy all these gift cards and transfer ’em over. And then they blink their out a couple grand and all of it was just, you know, um, was just a, um, a, um, a crime, you know, so anyway. Yep. Um, alright. So Allison, we love, you know, you, you, uh, cohost shows around here make appearances, uh, love your passion for manufacturing and lifting industry up. Um, love your work with women in manufacturing, right. Um, so how can folks, if they want to, you know, compare notes, cyber wise, if they wanna compare notes, manufacturing wise, if they wanna connect with you on social, how can folks connect with you?
Allison Krache Giddens (21:54):
Definitely find me on LinkedIn. I’m Allison GIS on LinkedIn would love to connect with people. I kind of occupy that funny, goofy space of defense manufacturing and, uh, cyber standards and contractual flow down and all that kind of really, really fun and riveting topics. Uh <laugh> but yeah, definitely would happy, happy to connect with, with folks on LinkedIn.
Scott Luton (22:16):
And I’d add in, uh, the book reviews. I love your book reviews and no one do does not too many folks do book reviews anymore. I love, um, you make, you make reading a lot easier and I, I love how you share your Le your key lessons learned, uh, uh, from your different reads. So keep on sharing, keep on leading. So big, thanks. Uh, to Allison crche gin’s president at win tech, Inc for joining us here today. Allison, thanks again.
Allison Krache Giddens (22:44):
Thanks for having me. I appreciate it.
Scott Luton (22:46):
You bet. Okay. Folks, uh, heard, uh, you know, take action, deeds, not words, and you gotta take care of your organization and your team you’re intellectual property, your resources. So you gotta be proactive at all of that. So with all that said, uh, Scott Luton here wishing our listeners nothing but the best. Hey, be like Allison, do good. Give forward. Be the change that’s needed on that note was see next time, right back here on Saatchi. Now. Thanks for buddy.
Intro/Outro (23:12):
Thanks
Intro/Outro (23:13):
For being a part of our supply chain. Now, community check out all of our programming@supplychainnow.com and make sure you subscribe to supply chain. Now anywhere you listen to podcasts and follow us on Facebook, LinkedIn, Twitter, and Instagram. See you next time on supply chain. Now.
