Supply chain cyber attacks represent a major threat to businesses. This type of attack involves criminals infiltrating the networks of an organisation’s suppliers or other business partners in an upwards chain to gain access to the target’s sensitive data or systems. This kind of attack can be sneaky, that’s why they are so dangerous, so how can organisations protect themselves from them?
A supply chain attack is one in which cyber criminals target an organisation and leverage the trust their supply chain partners have, to gain access to their data or systems. These attacks can involve infiltrating the systems of a organisation’s suppliers using BEC (Business Email Compromise) phishing scams, and other techniques, to exploit any privileged access they have been able to gain. In doing so, they can halt operations by disrupting the flow of goods and services to your organisation, or simply use their systems to gain access to yours.
Sometimes, what is thought to be the main target is just a false flag – such as the SolarWinds breach in 2020. While devastating on its own, it’s believed the SolarWinds attack, in which cyber criminals attacked a single private company in order to compromise hundreds of others, was actually a targeted attack on the US government by foreign threat actors.
Supply chain cyber attacks are particularly dangerous because they can spread quickly throughout an entire organisation’s network and can hit several points of weakness. A single compromised supplier could provide criminals access to a organisation’s entire system, allowing them to steal sensitive data or disrupt operations on a massive scale. What makes these types of attacks even more dangerous is they often go unnoticed until it is too late.
Every time an organisation interacts with an external vendor or supplier, they expose themselves to a risk. You might not think a supplier has access or information that would give a criminal cause or ability to attack your organisation, but consider software companies that you have subscriptions to, and ones that manage some of your services or IT. If you sell products or services, an attack on your supply chain of physical product manufacturing or logistics can financially impact your organisation in a short time, as well as lead to reputational loss.
A supply chain cyber attack can also disrupt efforts to combat modern slavery; something that modern organisations are fighting against. For example, an attack on a company that specialises in monitoring and tracking the supply chains of other organisations could cripple the ability of them to detect and prevent the use of forced labour in their own supply chains. Furthermore, supply chain cyber attacks can also be used to steal or destroy evidence of slavery, making it more difficult for organisations to act against those who engage in this practice.
Having a business resilience and continuity plan in place for incident response and disaster recovery can help your organisation handle any gaps in service or access if an attack occurs. Not only will it help limit damage and improve recovery time, but it will also outline how communication will be managed within the organisation. By planning for a variety of challenges, you can minimise costs and downtime for your organisation. If your organisation is in healthcare or social services, a resilience plan would be imperative to continuing care or rapidly restoring business continuity. Don’t forget to make sure your suppliers also have an incident response plan in place, so they can quickly respond to an attack and reduce any potential risk to your business.
If one of your suppliers was breached – how would that affect you and your organisation? This form of preventative security might not even be on your radar but it’s one of the largest growing ways an organisation can be breached.
‘Island Hopping’ is where an attacker breaches smaller, more vulnerable partners in the supply chain leading to the main target. This allows the attackers to exploit the relationships between organisations, usually doing very little to the smaller companies other than exfiltrating information that will lead to accessing the larger organisation as an end goal. It can be harder to identify the source of a breach, particularly if criminals have left little evidence on their way up the supply chain.
Do you have a vetting procedure for your partners or suppliers? If any external companies work within any of your network or regularly email members of your organisation, it’s worth knowing what cyber security protections are in place, and what their recovery plan is.
Once measures are in place to vet suppliers, make sure all stakeholders are aware of the checks and balances needed to get someone on board. Discourage one-off suppliers unless necessary and ensure the system is set up for approval of things like purchase orders and procedures for invoice payments, onboarding of suppliers and even phishing simulation training to help your team identify any suspect communications or requests. If ever in doubt, use a secondary authorisation or phone verification to ensure a legitimate request is being actioned.
Even if a breach of your supplier’s network doesn’t create a network or data breach problem for you, their shutdown can cause havoc down the line. Single points of failure can slow down and disrupt your businesses operations to the point you start losing money. If your critical suppliers or partners had a data breach or significant cyber event, do you have another point of supply to move to, ensuring your organisation doesn’t skip a step?
The best way for companies to protect themselves from cyber security supply chain attacks is by implementing security measures throughout their organisation. This includes conducting regular risk assessments and implementing secure policies for supplier onboarding and management processes. Additionally, companies should ensure that their suppliers have adequate cyber security measures in place as well—as any vulnerabilities in their systems could put your business at risk.
The threat of cyber security supply chain attacks is growing every day—and companies need to take steps now to protect themselves from these potentially devastating incidents. By conducting regular risk assessments and investing in robust cybersecurity solutions such as security awareness training, MFA, encryption technology, anti-virus software, and secure networks, companies can significantly reduce the chances of falling victim to these types of attacks while still maintaining an efficient workflow across their organisation's networks.
Contact us for a demo of our award-winning training platform for employee training on cyber security principles and how they can protect themselves and your organisation.