Comment: Back to basics to throttle supply chain cyber threat
Effective cybersecurity is challenging enough for many organisations, but when you add supply chains into the mix that may include hundreds or even thousands of suppliers, the challenge grows massively.
There have been numerous instances where an organisation has been breached as a result of hackers finding a way in via third parties such as suppliers and contractors. Probably the most infamous example of a breach via a supply chain was when hackers breached US retail giant Target in 2013 by stealing credentials from a third-party heating company who were able to access Target’s networks and monitor its systems. The company fell victim to a spear phishing attack a few months before the main attack, when the hackers installed malware onto the retailer’s point of sale systems, stealing customer credit card details, and sending them to a compromised Target server before finally sending them overseas. The breach resulted in the theft of the credit and debit card details of up to 40 million consumers and has, so far, cost Target over $200 million.
Breaches via a supply chain can occur in many different ways. A supplier could inadvertently introduce malware into a network via a phishing email, or a vendor’s credentials could be stolen, allowing a hacker remote access to an enterprise with which the vendor works. This can then lead to the infiltration of an enterprise’s network via a trusted source.
Are supply chains the weakest link?
Hackers seeking to breach a large organisation will often do their homework and seek to take advantage of the organisation’s supply chain. Various methods such as social engineering will allow them to learn who their target does business with or who its suppliers are. Social media also allows them to learn who the best people are to approach or target with phishing emails.
If they are particularly determined they are likely to go through every part of the supply chain to find any vulnerability and, once they find one, they will then seek to exploit it. Once in, they can then cause trouble right along the chain.
Large organisations’ supply chains are comprised of small or medium sized organisations which, due to their smaller sizes and budgets, are often considered to be the weakest links in the chain, with cybersecurity measures less likely to be as effective as larger ones.
Forward-thinking supply chain operators, however, know that the most effective way of reducing risk is to support their suppliers and partners by providing tools and services that enable them to improve their security, rather than burdening them with endless questionnaires.
Reduce the threats by doing the basics
Organisations at the top end of a supply chain should encourage their suppliers to implement a cyber-aware culture. Adopting government schemes such as Cyber Essentials and educating employees at all levels will help to reduce the threat.
Good cyber hygiene should be encouraged, for example, such as avoiding suspicious-looking websites and never clicking links of which you are uncertain can help avoid many cyber dangers.
Proper awareness training can also help staff recognise the signs that an email might not be legitimate. By educating employees and members of a supply chain on how to spot a suspicious email, it’s possible to cut the likelihood of a successful phishing attack. Most of the time these emails are caught by an email service provider’s spam filters, but hackers are tenacious and are constantly finding ways to try and circumvent them. Many businesses and organisations have fallen victim to such attacks. We all receive spam emails - it’s a part of everyday life, so if in doubt, it is always best to refer a suspicious email to an organisation’s internal security team and not click on any links or attachments.
Ensuring that every organisation in a supply chain has well thought out policies and procedures in place, such as allowing users to access only what they require for their role, or not allowing personal devices or removable media to be plugged in, can help to protect against cyber-attack. Likewise, carrying out an audit of assets will help an organisation to keep track of what is part of its network and - more crucially - what isn’t. Supply chain partners should also be encouraged to keep their anti-virus and other security applications up to date. Finally, it’s important to ensure there is continued awareness of these practices in the same way that fire drills are carried out regularly.
The ‘It’ll never happen to me’ mentality needs to go
The belief that a cyber-attack will “never happen to me” is a surprisingly common reason for businesses not to invest properly in cybersecurity. Small businesses in particular are likely to believe this as they think that they’re too small to be noticed by cyber criminals. In reality, however, SMEs are actually targeted more often due to their appearance as a ‘soft target’ and as a potential way into a larger organisation’s supply chain. For this reason, large organisations should regularly assess the cybersecurity of their supply chain, and ensure that the necessary training, awareness and best practice cyber hygiene is in place to reduce the risk of a breach.