In recent years all business to business sellers have heard of concerns surrounding security of the supply chain. In fact, most of the large cyber security breaches featured in the news have been caused due to vulnerabilities that were exploited within suppliers that formed part of their supply chain, in some cases, the affected businesses were ordered to pay millions of pounds in fines and damages.
This post has been produced to help business owners understand what a Supply Chain Attack is, its potential impact on business as a whole, what the impact is on the supply chain, and finally what can be done to mitigate the risk of a cyber security incident so that the supply chain remains secure and that a supplier can continue delivering their service or product.
What is a "Supply Chain Attack"?
A supply chain attack is an event where a cybercriminal or attacker identifies weaknesses in the supply network and breach a less well protected company further down the chain. Essentially locating the weakest part of the chain, infecting it and breaching the supply network. Normally the supplier will either have access to their client's data or direct access to their client's systems via the supply network. The attacker will then use the suppliers permissions given to a supplier to shutdown systems, steal data or whatever else they want to do to the detriment of the supplier and the client.
There are many ways a supply chain attack can occur but generally they orginate from open source and/or commercial software and foreign software products.
Versions of Supply Chain Attacks
The following take advantage of security flaws or weaknesses in the supply network. Most commonly they include:
Stolen certificates. An attacker steals a certificate so they can deploy malicious code while appearing like the supplier by using their certificate.
Compromised or Infected software or infrastructure. Attackers will look to leverage the tools for building software applications to introduce security weaknesses in the development process—even before the process is used to create an application.
Malware is already on devices. Malware can be placed on mobile devices, phones, USB's, cameras, and most other items utilized in your digital enviroment. Then all the attacker needs to do is wait for you to connect the device to your network.
Infected firmware. All hardware is controlled by firmware which is constantly updated to ensure that it runs to the best of its ability. Attackers can include malicious code in firmware to gain access to a system or network.
Why isn't more being done about it?
Last year the government conducted a survey to understand the extent of the continuing perveyence of Supply Chain Attacks to better understand what could be done about it. 214 responses were received through the Call for Views between 17 May and 26 July 2021. This included 24 responses from individuals, 96 from organisations, and 94 unspecified responses. Here are the findings:
From the above it is clear to see that the rampant raise of Supply Chain Attacks is down to a limitation of visibility within the supply chain and the low recognition of Supplier Risk.
One measure that has been introduced with more vigour in recent years is for all organisations, but in particular suppliers that form part of the supply network to obtain either Cyber Essentials or Cyber Essentials Plus.
However, the misconception here is that once you obtain your accreditation you are then cyber secure. This couldn't be further from the truth. A simple picture on your website or email signature will not protect you from the threats of cybercrime.
Obviously, the certification is a validation of the security stance of any approved holder at the time it is awarded but the certification, alone, does not secure your network. You need to have a complete cyber security solution in place that goes beyond Anti-Virus, Spam Filters and Firewalls.
The fall out from a Supply Chain Attack
Needless to say, the fallout could be potentially catastrophic for your business’s reputation, your client’s reputation as well as the very real possibility of significant financial loss and damages.
Should you be able to sustain the fall out of these ramifications you will then need to investigate the attack, find out how it happened, take remedial steps to re-instate your network, data, and possibly replace any infected hardware within your estate. A very time consuming and costly exercise.
A report by the security firm, Kaspersky, states that the average financial impact of a supply chain attack against an enterprise reached $1.4 million (£1.2 million) in 2021, making it the most expensive type of incident.
What you can do to secure the supply chain
Working with a company proficient in cyber security, such as Onyx IT, is a great first start.
Onyx has the expertise and knowledge to assess your network, identify the risks you face and provide a solution to mitigate those risks. A detailed assessment can be completed in just a few hours and a plan presented.
The threat of Supply Chain Attacks is very much real and occuring each day of week. You now have a little more information on the subject, understand how they can occur, understand the main reasons for its increasing purveyance and finally the steps you can take to mitigate your risk and avoid the potential of a business ending event.