You’ve taken the time to ensure your SME, church, or charity is cyber secure. You’ve installed firewalls, instructed staff training, and consultants to oversee the administrative tasks. Excellent.
But what about your supply chain? Have you ensured you aren’t at risk from suppliers through their weak cybersecurity or fraudulent activity?
This article walks you through the potential impact of supply chain cyberattacks and how to protect yourself.
What is the cybersecurity risk from suppliers?
The latest statistics show that only 13% of businesses check out the cybersecurity of their immediate suppliers. Only seven per cent take a more thorough approach and vet the entire chain.
Taking these figures alone, we believe that almost all organisations are at risk from supply chain-originating cyberattacks. This is a real worry and means you should take immediate steps to protect yourself and plug this weakness.
What is the cybersecurity risk from suppliers?
The latest statistics show that only 13% of businesses check out the cybersecurity of their immediate suppliers. Only seven per cent take a more thorough approach and vet the entire chain.
Taking these figures alone, we believe that almost all organisations are at risk from supply chain-originating cyberattacks. This is a real worry and means you should take immediate steps to protect yourself and plug this weakness.
How do supply chain cyberattacks work?
A supply chain attack could happen in any form but originates from one of your suppliers – almost always unwittingly.
For example, most medium or large organisations allow suppliers limited access to their systems. This typically involves financial data, sales records, contact information, authorisations, contract details, etc. If a hacker gains access to this third party through malware or phishing, they’ll have a way into your system.
Other supply chain attacks could come from emails or messages posing as the supplier. These could contain viruses, trojans, ‘new bank account’ information, or infected files or invoices.
Supply chain cyberattack case study: SolarWinds
The SolarWinds breach is one of the most sophisticated (discovered) cyberattacks in history. Hackers (who have yet to be identified but are suspected to be Russian) gained access to databases to secretly view and steal data.
SolarWinds is an ICT company based in Texas, USA. It provides infrastructure and application monitoring services and solutions to many large companies and governmental organisations with over 320,000 clients worldwide. Many federal databases were compromised as well as 499 of the 500 companies in the Fortune 500.
Hackers infiltrated SolarWinds without detection (and we still don’t know how). They then placed a trojan in Orion, SolarWinds’ network management (supplier) program. When all the clients installed the update, they unknowingly installed the trojan onto their systems.
It was uncovered in December 2020 by cybersecurity consultants FireEye, at least eight months after attacks began and nearly two years after hackers first gained access. So far, it’s thought that access to confidential data was largely prevented. Still, all sorts of information could have been gathered. It’s so huge that the damage is impossible to estimate, and the economic impact is likely to be immense – even if we can’t directly quantify it.
NSCS guidance for assessing the cybersecurity of suppliers
The NSCS – part of GCHQ – has released new guidance on determining supplier cybersecurity. Read the full report here. It’s well worth reading the entire thing, so you understand the magnitude of the threat. We’ll summarise the key steps you need to take here.
- Educate your organisation on the threat– breaches will inevitably happen if it isn’t taken seriously.
- Evaluate your existing suppliers – changes will most likely need to be made, including new contracts and evaluations.
- Monitor supplier activity consistently – watch for threats! Know what they should and should not be accessing and baseline what normal behaviour looks like.
- Insert cybersecurity clauses into all supplier contracts – specify a minimum security standard you expect your suppliers to meet – e.g. Cyber Essentials.
- Create security profiles for each supplier – these should include security questions stored in a separate location.
- Ensure the most critical parts of your system have extra protection – even if malicious software gets in, the lifeblood of your business should be fine.
- Apply strict access protocols and restrictions for all clients – suppliers should have only the access they need so that if they are breached the threat to you is limited.
- Scan all incoming files for malware regardless of origin.
- Support your suppliers as they make changes – most will need to.
- Continually review, assess, and improve the process– work with your suppliers on this.
AMDH Services Ltd and cybersecurity
AMDH Services Ltd is a team of experienced ICT consultants. We have decades of experience in the industry and advise most organisations to invest in cloud-based systems. These streamline your processes and future-proof your business.
However, cybersecurity must never be forgotten. It’s just as crucial with cloud systems as any other. Follow the steps recommended by NCSC to protect yourself against supply chain threats.
If you’re at a loss for protecting yourself, please don’t hesitate to get in touch. Use the form below to send us a message, and we’ll get straight back to you for a free and friendly chat. It’s commitment-free, too. We’ll be happy to partner with your SME or charity to advise on and apply cybersecurity software, hardware and protocols.
