Cyber Risk in the Finance Sector within a Post Pandemic World
There is no doubt that the financial sector has become the most prevalent target for cyber security attacks over the last few years. The COVID-19
- Remote Support
- IT Support Portal
- Dynamics Support Portal
- Sales: 01892575675
- Support: 0345 450 4600
What is a Supply Chain Attack?
The majority of growing businesses work with a variety of partners and third party vendors in various different ways. Exchanging large amounts of data with other partners (such as integrations and customer details) heightens the security risk. With supply chains, deliberate cyber attacks normally involving Malware can easily reach the businesses in the chain through a number of vulnerable access points.
Accenture the global management consultancy recently released a report that over half of cyber attacks are delivered in the form of a supply chain and claim that over 60% of cyber attacks originate from entities that are part of the extended supply chain, or by external parties exploiting security vulnerabilities within the chain itself.
It’s important to note that the security of a supply chain is only as strong as the weakest member of the chain, cyber criminals identify the vulnerabilities of the weakest member to gain access to the other members of the supply chain.
These are worrying statistics for UK businesses considering GDPR is now in play. With the GDPR, a Supply Chain Attack that results in a data security breach could mean businesses are liable to a fine of up to 4% of annual turnover.
How are supply chains attacked?
Supply Chain Attacks commonly occur from third party software providers, third party data storage, websites and watering holes which are all used to distribute Malware. We briefly explore each method below.
Third party software providers
Attacks occur through malicious Malware or counterfeit components embedded in to software stored in repositories that businesses regard as secure. The software is then downloaded by users which then installs both the software and malicious Malware within it. With the compromised software being very difficult to detect if it has been altered at the source there is little clues for security teams to suspect it’s not legitimate. This year, the Petya Ransomware outbreak hit businesses globally infecting millions of computers.
Third party data storage
Many businesses store their data with third party companies which aggregate store and process the data. Some data storage providers are not fully secure and can be targeted by cyber criminals where they have the potential to cause large scale fraud with other links of the supply chain.
Websites
Cyber criminals can easily access insecure websites and add redirect scripts sending visitors to a malicious domain where Malware is automatically downloaded. This could be the website of one of your third party providers, which would then infect your business if your staff or clients visit the site.
Watering Holes
A watering hole Supply Chain Attack is where cyber criminals identify a website with high amounts of traffic eg. Government, finance, healthcare. Once hacked they use this website as a base to distribute Malware which can then infect that users device and other related networks.
Preventing a Supply Chain Attack
The more steps a business takes to improve their own security, the more secure supply chains will become. Here are a few things you can do to improve the security of your business and some considerations to ask your partners within supply chains. However, complex supply chains such as those in manufacturing require comprehensive risk management processes in place.
- Build Security declarations in to vendor and supplier agreements – Although these suppliers aren’t employees, you’re sharing important information and data with them and very often this is over email. While you may be able to trust your own security set up, can you rely on someone else’s? A data security policy should be part of a supplier agreement.
- Use endpoint protection for devices – ensure that staff are only using devices that have been checked and approved. Intercept X from Sophos offers full endpoint protection.
- Staff Awareness – Provide business cyber security training to all staff to ensure all employees understand and identify possible threats, additionally to train all staff not to keep passwords or private data stored in personal folders on their computers. Obtaining the Cyber Essentials Certification is a great way to get your business started.
- Encryption – Make sure all business hard drives are encrypted.
- Update – Ensure your businesses automatic updates are turned on to reduce the risk of running on an unsupported or out of date system that hold vulnerabilities.
- Back up – Ensure your business has a secure Disaster Recovery and Backup service in place as do your partners that have any access to your business data
Infinity Group are IT Security specialists and GDPR Consultants. If you are interested in IT Security strategy implementation or GDPR Consultancy, please get in touch to find out more.
Photo credits https://www.ncsc.gov.uk/
Related blogs you may find useful
Cyber Security Risk Mitigation Checklist
With employees, customers and partners all working from multiple locations on a multitude of personal and mobile devices, we find ourselves at risk of increased
10 tips when choosing a Cyber Security partner
Gartner warns that the risk landscape and external influences regarding Cyber Security are changing with COVID-19. This is significantly affecting security plans and is particularly
The Top Cyber Security Frameworks
Gartner challenges business to focus on security projects that drive the most business value and reduce the most risk, and not to over analyse security
We would love to hear from you
Our specialist team of consultants look forward to discussing your requirements in more detail and we have three easy ways to get in touch.
Call us: 03303 333 648
Complete our contact form
LiveChat now: via the pop up
Contact us
By telephone 0345 450 4600
Services
Dynamics 365 Consultancy
Offices
London Office 3rd Floor, The News Building, Shard Quarter, 3 London Bridge, London, SE1 9SG Kent Office The Coach House, Spencer Mews, Tunbridge Wells, Kent, TN1 2PY