Hackers target supply chains – don’t be shackled with insecurity

So you have your own company cybersecurity in order, but what about the people you do business with – and could their attitude impact on your own cyber health?

It’s being reported that some UK businesses are overlooking vulnerabilities in their supply chain.

They may be confident in their own protections, yet some professionals are concerned that the due diligence security audits performed when taking on suppliers are insufficient.

Supply chain hacking is nothing new. Sometimes known as value-chain or third-party attacks, a supply chain attack occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data.

Risks associated with this kind of attack have never been higher, given attackers have more resources and tools at their disposal than ever before.
Reports have indicated that over half of cyberattacks are delivered in the form of a supply chain and claim that over 60% of cyberattacks originate from entities that are part of the extended supply chain, or by external parties exploiting security vulnerabilities within the chain itself.

20% of businesses who responded to a recent survey confirmed they do not communicate with suppliers when testing their cybersecurity recovery process. But this could just be the tip of the iceberg and I suspect the true figure to be even higher.

We’ve seen time and time again that hackers seek out the weak spots and vulnerabilities to cause havoc. They are targeting business supply chains as the supply chain can prove be the weakest link and a way of making inroads into an organisation.

A good example, and a well referenced case, was Target in the USA. There, attackers backed their way into Target's corporate network by compromising a third-party vendor. The number of vendors targeted is unknown. However, it only took one, and that happened to be a refrigeration contractor.

This kind of example shows the reasons behind Central Government adopting Cyber Essentials as an entry benchmark for all suppliers of the public sector, including MoD, the Government, NHS and others.

The Scottish Government is leading by example on cyber resilience has ruled that all 200 public bodies across Scotland have to become Cyber Essentials or Cyber Essentials Plus certified by October, which will trickle down to supply chains.

Businesses must perform the necessary due diligence when integrating a new provider into their supply chain.

Considering the risk associated with a supply chain attack, conducting a cybersecurity audit of your supply base should not be a box-ticking exercise.
Ask yourself this - has your business ever rejected a supplier on the basis of audit findings? Are you confident in your supplier’s due diligence?
The assessment of cybersecurity procedures should be a vital part of any contractual agreement and organisations will need to ensure that they have insurance to cover their supply base.

Without these measures in place, cyber criminals could use suppliers as a stepping stone to gain access to their ultimate target - your business.
Have robust procedures to withstand the scrutiny of tougher security audits from clients, with the risk of fines under GDPR a particularly strong reason for firms to ensure a partner’s security is in good shape.

The more steps a business takes to improve their own security, the more secure supply chains will become and here’s some steps that may help:

Build security declarations into vendor/supplier agreements – Although suppliers aren’t employees, you’re sharing important information and data with them and very often this is over email. While you may be able to trust your own security set up, can you rely on someone else’s? A data security policy should be part of a supplier agreement.

Use endpoint protection for devices – ensure that staff are only using devices that have been checked and approved.

Staff awareness – Provide cyber security training to all staff to ensure employees understand and identify possible threats. Obtaining the Cyber Essentials certification is a good way to get started.

Encryption – Ensure all business hard drives are encrypted.

Update – Ensure your businesses automatic updates are turned on to reduce the risk of running on an unsupported or out of date system that hold vulnerabilities.

Back up – See that your business has secure back up and disaster recovery service in place as do your partners that have any access to your business data.