Kroll: How to Protect Supply Chains from Cyber Attacks

Share
IT providers must have sufficient measures in place to protect the supply chain against cyber attacks. Picture: Getty Images
As the Digital Operational Resilience Act is introduced in the EU, experts from Kroll discuss the cyber measures IT providers must have in place

Threat actors' recent focus on tech companies is especially important given the incoming Digital Operational Resilience Act (DORA) in the EU.

The regulation, with which businesses must be compliant by January 2025, aims to address ICT risk management in the financial services sector and its supply chains.

Here, Laurie Iacono, Associate Managing Director of Cyber Risk at Kroll, and Tiernan Connolly, Managing Director of Cyber Risk at Kroll, discuss what measures IT providers must have in place to protect against cyber attacks and how they can plan for business continuity. 

Amid increasing cyber attacks on the tech and telecoms sector, how can firms better protect themselves?  

LI: Attacks on the technology and telecom sectors disrupt critical communication and operational technologies, leading to delays and vulnerabilities in dependent industries. Telecom disruptions can halt critical operations reliant on internet connectivity and communication systems, impacting logistics, customer services and production schedules. Further, telecom providers often store sensitive customer and business data. A breach could expose proprietary or personal information, leading to compliance issues and reputational damage. 

Laurie Iacono, Associate Managing Director of Cyber Risk at Kroll

Since many supply chains depend on telecom services for coordination (e.g., cloud platforms, IoT device, remote monitoring), attacks can lead to cascading failures, delaying operations across multiple tiers of the supply chain.  

Companies can mitigate risks by adopting multi-layered cybersecurity measures, conducting regular risk assessments and emphasising third-party risk management strategies aligned with frameworks such as DORA, which stresses robust ICT risk management and incident reporting. 

Avoiding over-reliance on a single vendor and developing contingency plans with multiple service providers is advised. Businesses should also utilise endpoint detection and response (EDR) tools alongside threat intelligence platforms to detect anomalies. Finally, having secure cloud-based assets by enforcing encryption, access controls and multi-factor authentication (MFA) is recommended.  

What will be the biggest cyber threat for firms in 2025 and how will this impact supply chains? 

LI: As we move towards the end of 2024, we continue to see shifts in the threat landscape – for instance in Q3, we saw marked increases in targeting of the technology sector, users being targeted with information stealer malware and, more recently, a rise in activity from well-known ransomware gangs such as BlackBasta and Clop. The resurgence of these gangs, that had been largely quiet this year, indicates that well-established ransomware operations are not going anywhere and will likely focus on Big Game Hunting going into 2025. 

With 2024 being one of the first years we observed documented attacks using AI technology, it is likely that threat actors will continue to improve upon their use of such tools in 2025. In addition, it is likely that we will see more and more actors targeting cloud services and software-as-a-service applications. Such attacks could cripple supply chains by targeting logistics systems, IoT devices and software repositories. Strengthening cloud resilience and adopting advanced threat detection with an emphasis on rapid response and ensuring business continuity can go a long way to mitigate risks. 

Youtube Placeholder

How can organisations ensure supply chain partners adhere to cybersecurity best practices?

TC: Due to the associated risks and now formal compliance requirements stipulated within DORA and NIS2, it is very important that organisations establish a formal third-party and supply chain risk management capability. This should include repeatable processes that ensure all your third parties (and relevant fourth parties) are catalogued and tiered based on factors such as what critical business processes they support and the sensitivity of data they process on your behalf.

Following this key step, it’s important to carry out regular risk and due diligence assessments to attain a strong level of assurance that they are operating securely and bolster this by integrating obligations into contracts (DORA specifically requires this) that require a strong level of demonstrable security practices. Such assessments should not only consider controls that proactively monitor for and reduce the risk of a security incident, but also robust incident response processes and communication plans (including swiftly notifying your organization) that are regularly tested.  

How can firms integrate protections against AI-driven threats into existing security training and protocols? 

LI: Firms should be proactive in preparing employees for the threat of AI in cyber attacks – explaining how deepfakes or voice-cloning may be used to socially engineer the victims to disclose confidential information or act on a malicious phishing email. Companies should train users on how to detect such content by recognising anomalies in language, graphics or video. Organisations should also perform simulation tests to validate whether employees can accurately identify AI-generated content. In addition, particularly when it comes to protecting supply chains, organisations should create a culture of trust but verify, reminding users that they may confirm identities via real-world (“in real life”), secure channels if suspicious activity is detected.  

The Digital Operational Resilience Act (DORA) applies as of 17 January 2025

What lessons from last year's CrowdStrike outage should firms incorporate to prepare for similar disruption? 

TC: This incident clearly highlighted what regulators have been worried about – and warning about – for many years: the risks arising from the interconnected nature of modern IT infrastructure and the need for proactive resiliency planning and preparedness. While CrowdStrike quickly published a remediation guide that described the issue and the fix, each organisation had to move quickly to understand how to implement it as broadly and quickly as possible. However, in many cases, businesses had to ascertain the impact caused to its larger ecosystem. For example, even if they were not impacted directly, their third-party supply chain may have been, with potential knock-on effects including business services disruption.   

There are key areas of focus on to mitigate the associated risks. Kroll highly recommends organisations to review and enhance their capabilities across these domains:  

  • Proactive risk management including regular risk assessments, identification of critical functions and systems and the development of appropriate treatment/mitigation strategies/frameworks. 

  • Robust business continuity, disaster recovery and resilience planning, covering key internal and external systems/services, as well as backup and recovery solutions which are tested on a regular basis. 

  • Incident response plans and processes which are clearly defined and tested via various disruption scenarios, including, where appropriate, critical third parties/systems.   

  • Third-party/supply chain risk management, including continuous governance, clear communication channels and repeatable risk assessment/mitigation assessments to ensure they meet security standards.  

  • Effective change management/development processes, ensuring rigorous planning, testing and quality assurance controls are embedded into change management and the software development lifecycle. 

Cloud services are critical to modern supply chains. Picture: Getty Images

What threats do cloud-related risks pose to supply chains and what should organisations do to ensure the resilience of their cloud infrastructure? 

LI: Cloud services are critical to modern supply chains, offering platforms for communication, data storage and operational tools. Cyberattacks such as DDoS attacks, ransomware or misconfigurations can result in outages that disrupt supply chain operations dependent on cloud platforms. Supply chains relying on external cloud service providers face risks from shared vulnerabilities, including insufficient patch management or insecure APIs. Further, a breach in one cloud-integrated supplier can propagate malware through the supply chain, impacting multiple stakeholders. 

Firms should implement a robust cloud security strategy including encryption and regular audits as well as strengthening their vendor oversight with detailed risk assessments of cloud providers to ensure compliance with cybersecurity stands like ISO 27001 or SOC 2. Further having good cybersecurity hygiene like requiring MFA, applying security patches and updates promptly, and implementing continuous monitoring with SIEM tools and cloud-native monitoring solutions to detect and respond to threats in real time should be considered standard practice.

How should tech firms adapt to combat threats from nation-state actors?

LI: Given the rise in VPN and phishing exploits by nation-states, firms must implement end-to-end encryption, secure coding practices, and advanced monitoring for abnormal network activities. Collaboration with intelligence providers can also pre-empt potential threats. 

How can organisations leverage DORA’s principles to reduce supply chain vulnerabilities?

TC: DORA explicitly requires organisations to first identify their critical business processes, and then map them to the underlying technology assets, as well as third parties, that support them. This essentially guides firms towards identifying critical dependencies, and ensuring real-time monitoring, as well as regular testing of these dependencies, is in place. The testing should use a combination of activities such as vulnerability scanning, penetration testing, audits and incident simulation/tabletop exercises. In addition to this, it is crucial that organisations integrate cyber scenarios into their regular business continuity and disaster recovery planning and resiliency testing processes. This includes critical third parties where appropriate.   

How else will DORA influence activity in the sector? 

TC: DORA is set to influence the cybersecurity landscape by mandating higher transparency in incident reporting, harmonizing testing standards like red teaming, and enforcing stringent third-party risk management protocols. These changes will prompt businesses to adopt proactive and sustainable resilience measures, reducing long-term risks and enhancing digital operational integrity.

While DORA is currently getting a lot of attention, there is, of course, another EU regulation on the horizon: the EU Cyber Resilience Act, which will undergo a phased implementation culminating in full applicability by 2027. Its primary focus is on building robust security and vulnerability management mechanisms into vendors’ development and post-sale support processes for products with digital elements. This will complement DORA by ensuring vendors are also accountable for securing the products which enterprise organisations consume. 


Explore the latest edition of Supply Chain Digital Magazine and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.

Discover all our upcoming events and secure your tickets today. 


Supply Chain Digital is a BizClik brand.

Share

Featured Articles

This Week's Top Five Stories in Supply Chain

Supply Chain Digital looks back on five of the biggest stories we've covered this week, featuring the likes of Blue Yonder, GXO, Gartner and Unilever

Inside Exotec's Grand Next Gen Skypod Unveiling

Exotec launches the Next Generation Skypod, enhancing warehouse efficiency with improved storage density, higher throughput and integrated logistics

The Panama Canal and its Crucial Role in the EV Supply Chain

Supply Chain Digital examines the Panama Canal's vital role in the EV supply chain amid geopolitical tension and global trade volatility

Q&A: JP Lauer at GEP Europe Tour 2025, Amsterdam

Procurement

Blue Yonder: Optimising Cold Chain Operations for RealCold

Operations

This Week's Top Five Stories in Supply Chain

Digital Supply Chain