Stuart Jubb, Group Managing Director at Crossword Cybersecurity, outlines the need for a more strategic and collaborative approach to maintain visibility of supply chain attack threats
The risk of supply chain cyber-attacks is escalating. Over one-third, (39%) of businesses reported cyber security breaches or attacks in the last 12 months according to the UK government’s recent Cyber Security Breach Survey, and this was even higher among medium (65%) and large businesses (64%). And since customers and suppliers of a business of any size will inevitably be impacted, most of these attacks could be defined as supply chain attacks.
The risk to local authority and government organisations, which can have extremely complex supply chains which include suppliers from the public and private sectors, is equally high.
What are supply chain attacks?
Supply chain attacks involve targeting an organisation by exploiting weak links in its supplier network. They usually entail continuous network hacking or infiltration processes to gain access to a firm’s network and cause disruptions or outages. The chain reaction triggered by one attack on a single supplier can compromise a complete network of providers.
Targeting an organisation by exploiting weak links
The basic attack method – to trick a user into opening a file either as an attachment or clicking a web link to release malware into an organisation – has been used for a long time. In the past, these were done with more of a ‘hit and hope’ strategy for smaller potential gains. Today, they are much more organised and finely targeted, often with state-sponsored attack motives at play, such as the heightened risks posed by the war in Ukraine.
Today, attacks are much more organised and finely targeted
This more organised and targeted threat needs a strategic and organised response to ensure companies protect themselves and maintain visibility of threats wherever they sit within a supply chain.
Are you being watched?
In the case of a targeted supply chain attack, an organisation is often monitored way before the attackers make themselves known. Monitoring begins when an employee opens a file or clicks a link. The corporate network is then compromised, allowing attackers to conduct surveillance and select further targets, over weeks or even months. This information helps refine and design a more substantial attack to give them the rewards they seek.
Critically, this activity can go completely unnoticed, until such a time as the attacker decides to launch their grand finale attack! Equally, in the case of the public sector, an attacker may have a very specific goal in mind, gather the information they need and then disappear, raising no alarm that they were ever on the network. Worse still, they may also decide to leave some kind of back door open that will give the ability to remotely launch a future attack or easily regain access to the network if needed.
A proactive approach to cybersecurity
More than ever before, organisations need to deeply engrain their approach to cyber security in a way that takes into account the complete supply chain. Human error – clicking on that link and inadvertently providing information to a third party – is always going to be the weakest point in a company and can never truly be overcome.
Organisations need to deeply engrain their approach to cyber security
Cross-organisational strategies are needed that bring together procurement, IT, training, HR and operations to create policies, processes and a culture that puts cyber security at the heart of every role.
It is also important for organisations to have a strong understanding of their readiness to protect themselves against cyber-attacks, for example by ensuring their cybersecurity strategy is aligned with industry standards such as ISO27001 or NIST.
From a technical standpoint, organisations should be employing technology that can proactively monitor their security posture at all times, detecting and analysing potential anomalous behaviours that may trigger cyber security incidents.
Go beyond your boundaries
Internally focused controls are not enough. The same approach to cybersecurity risk management should be taken when assessing third parties. Every organisation should have in place supply chain assurance processes that enable third parties to be quickly, consistently and continually assessed.
For public sector organisations with substantial supply chains, the process of supply chain risk management can be simplified and largely automated. The right technology platform can provide an overview of the status of supplier security checks, highlight specific high-risk suppliers, send automated alerts and reminders, and provide an audit trail and reports to support regulatory compliance.
By taking a proactive, cross-organisational approach to cybersecurity, local authorities and public sector organisations can minimise the risk of a successful cyber-attack either directly or via their supply chain. It would be a mistake for any organisation to think it can protect its supply chain alone – effective supply chain cybersecurity requires the ultimate collaboration and cooperation between all parties.
Written by Stuart Jubb, Group Managing Director at Crossword Cybersecurity