Top 10: Supply chain cybersecurity vulnerabilities

Supply chains are targeted by hackers seeking a 'back door' into larger companies. Here is 10 of common vulnerabilities targeted by cyber criminals

Cybersecurity is near the top of most CIOs’ list of priorities. Supply chains often comprise thousands of vendors, many of which might be vulnerable. Hackers often target such vendors as a means of insinuating their way downstream or upstream into a multinational company, who is their ultimate target – the so-called backdoor attack.

The consequences of such an attack can be severe, operationally, financially and reputationally. 

Only this summer the largest password collection in history was leaked on a popular hacker forum, allegedly containing 82 billion passwords. It’s a worrying snapshot of the threats that lurk out there.

Top 10 supply chain cyber threats: Cloud security 

Most organisations have concerns about cloud security. Misconfiguration, unauthorized access, insecure interfaces and the hijacking of accounts are all potential points of entry for hackers. With more companies digitally transforming and leveraging online collaboration tools, the migration to cloud computing has also accelerated. The cloud will continue to shape the way businesses operate, as well as expose a slew of security challenges and threats. 

Top 10 supply chain cyber threats: Social media 

Social media is all-pervasive, and continues to be a medium of choice for launching cyberattacks. Data breaches have demonstrated weaknesses in social networks for hackers to slip through, and poor security housekeeping on the part of users means hackers don’t even have to break through the site’s defences. 

Phishing schemes (credible-looking emails and texts that invite the user to share personal data) and spoof accounts are just two of many ways to trick users into giving up their credentials, and are a constant threat. Worryingly for commerce, attackers are transitioning from targeting individuals to targeting businesses via social media. 

Top 10 supply chain cyber threats: PDFs

PDF files are an enticing means of phishing as they are cross-platform and allow attackers to engage with users, making their schemes appear more believable than a text-based email with a plain link. Unlike many email scams, PDF hacks often don’t ask you to open a link to give information.  

Scammers know people are more likely to open a PDF than an email, especially if they think it is a bank statement. Security company Palo Alto Networks says last year there was a 1,160% increase in malicious PDFs, and that this is set to rise.

Top 10 supply chain cyber threats: Databases

Database security is becoming a big security challenge for businesses in 2021. According to American IT provider, Straight Edge Technology, some hackers use social engineering attacks to steal login credentials, while others use malware to gain access. One of the significant issues with database exposure is the fuel it provides for hacks based on social engineering.

Top 10 supply chain cyber threats: Accidental sharing

Human error is something all hackers rely on, and for good reason: we’re all fallible. Accidental sharing includes personal or business data, via email, unsecured forms or via social media messaging. It is a particular threat to companies where large numbers of employees have access to primary databases, and occurs when information is shared or leaked accidentally. 

Top 10 supply chain cyber threats: SMS

While phishing often occurs via email and web browsing, so-called ‘smishing’ is through SMS text messages on one’s phone. The attacker sends an SMS text message with a link that, once clicked, begins the attack. Cyber criminals are turning to such attacks because many email programmes – Google Mail and Microsoft Outlook for example – are smart enough to detect phishing emails. 

Top 10 supply chain cyber threats: IoT devices

The Internet of Things (IoT) market is touted to grow to US$1.1tn by 2026, and the widespread use of IoT devices opens up serious cybersecurity threats, especially in supply chain, where IoT tech is commonplace. According to Symantec, IoT devices experience an average 5,200 attacks a month, and with IoT tech expanding almost exponentially, the attack surface for cybercriminals to target is huge.

Top 10 supply chain cyber threats: Poor housekeeping

For all the sophistication of cybersecurity solutions, one of the biggest problems remains people's complacency and laziness around basic cybersecurity housekeeping. We all know someone who uses the same passwords for everything, or who doesn't bother changing default passwords from 0000 or 1111 to something secure. This was how the UK's newspaper phone hacking scandal was made possible, and it remains a rich source of joy for cyber criminals worldwide.

Top 10 supply chain cyber threats: Phishing

Phishing is when attackers attempt to trick users (typically via email or text messages) into clicking a link that downloads a piece of malware, or that directs them to a dodgy website. Phishing attacks account for more than 80% of reported security incidents, according to CSO Online, accounting for one in every 4,200 emails last year, and is set to increase further this year. According to Symantec one in 13 web requests leads to a malware attack, and an estimated $17,700 is lost every minute due to a phishing attack.

Top 10 supply chain cyber threats: Ransomware 

Ransomware attacks are of huge concern to businesses with large supply chains. Ransomware attacks are more common in developed countries with high levels of Internet usage. Accordingly, the US ranks highest, with 18.2% of all ransomware attacks (Symantec). The average ransomware payment in 2021 was $111,605.

An infamous example of such an attack was the Kaseya ransomware attack in July 2021.

Kaseya is an international software provider with headquarters in Miami and Dublin. It provides IT solutions to 40,000 organisations, as well as technology to managed service providers, which then serve other organisations. This what made Kaseya such an inviting target for the hackers. 

The attack was eventually linked to the notorious Russian hacking group REvil, who exploited a vulnerability in Kaseya’s remote computer management tool.

As you’ve just read, the diversity of options open to cyber criminals is sobering, which is why businesses must be meticulous in their approach to cyber security. Here is some advice around protecting supply chains from Andy Wood, Vice President of IT Sourcing at Proxima, the procurement and supply chain consultants.

Supply chain cybersecurity measures: Prevention 

For cybersecurity, prevention is always better than cure. Enlisting a focused cybersecurity service provider that can undertake a robust cyber maturity assessment helps. By planning for every contingency and seeking out future vulnerabilities, companies can inoculate themselves against would-be cyberattacks and viruses.

Supply chain cybersecurity measures: Budget assessment

More companies are upping the ante on cybersecurity spending in technology supply contracts, due to the costs that can result from a breach. There must be healthy conversations between CISOs and CFOs about budgets if cybersecurity requirements and preventative measures are to be properly supported. By allocating resources up front, companies can save millions by preventing cyberattacks. 

Supply chain cybersecurity measures: Compliance

Companies must ensure their technology supply agreements include appropriate security compliance provisions that delineate the cybersecurity requirements in which their technology partners need to comply.

Supply chain cybersecurity measures: Collaboration 

It’s important for technology procurement professionals to support CIOs in responding to the challenges presented by cyber threats. One of the most things is a robust sourcing strategy that embeds diligence around supplier screening as part of the onboarding process. Contractual provisions must also be part of agreements so that subsequent and ongoing monitoring of supply chain risk takes place.

Supply chain cybersecurity measures: Partnerships 

The cybersecurity supplier and solution landscape is crowded, and companies must select partners who reduce the risk of cyberattack on their unique technology footprint. This requires an exhaustive cybersecurity audit, to identify gaps and vulnerabilities.

Supply chain cybersecurity measures: Managing risk

Businesses need to know where they are on the risk spectrum. It’s important to understand the varying requirements around robust cybersecurity risk management and governance. How businesses govern, identify, detect and respond to risk is crucial to managing cybersecurity needs. 

Supply chain cybersecurity measures: Stay current

The pace of change in technology is unrelenting. Technology-sourcing professionals need to stay up-to-date on their tech knowledge if they are to properly advise CIOs and CFOs on the best cybersecurity investments.

Share

Featured Articles

EY & Thompson Reuters team-up on sustainability

SUPPLY NEWS ROUND-UP; EY & Thompson Reuters in green team-up; 90% of SMBs hit by supply disruption;  Kahlúa ESG milestone on Mexican coffee beans

Logistics global air, sea, road and rail news round-up

Freight forwarders fear inflation most – DP World survey; DB Schenker in corporate rejig; Etihad Cargo & DSV Logistics in green-fuel first

Supply chain problems 'have changed supplier relations'

As CEO of Supply Chain at Genpact, Michael Ciatto delivers business transformation and operational excellence for 200 companies annually

Procurement talent 'must be retained not acquired'

Procurement

LinkedIn reacts to AWS Supply Chain: too narrow in scope?

Technology

S&OP planning in a state of flux, say EY & KPMG

Supply Chain Risk Management