If a thief wants to enter a house, it’s unlikely they’ll choose to ring the doorbell. They’re going to climb through a half-opened window around the back. And if they’re careful enough, the homeowner is none the wiser.
The same principle applies in the cybersecurity landscape. Supply chain attacks have existed for some time, and are an infamous method of finding cybersecurity vulnerabilities to target seemingly secure businesses. Gartner predicts that by 2025, 45% of organisations globally will experience an attack on their software supply chain. Here’s how they work and what you need to know about them.
What is a supply chain attack?
A supply chain attack is when a cyber criminal exploits a vulnerability in a supply chain. Many businesses today are cybersecurity-savvy. The best prepared will have well-intentioned cybersecurity policies and regulations in place to manage their cybersecurity and keep problems at bay.
But most businesses don’t operate within silos. Your organisation probably relies on other businesses as part of your supply chain, or you form a part of another supply chain. This creates complexity when managing security credentials. Can you be assured that every business within your supply chain, from a payment processing provider to a manufacturer, is completely secure?
Most organisations will manage compliance across their people, software, and processes, but this is difficult to extend to other points in the supply chain. This is the exact vulnerability criminals can exploit.
Examples of supply chain attacks
No supply chain attack discussion can ignore the SolarWinds supply chain attack. SolarWinds is a major software company that specialises in network and infrastructure monitoring tools. In 2019, threat actors gained unauthorised access to SolarWind’s networks, and in the following months injected malicious code into their software, Orion. Later in 2020, SolarWinds unknowingly sent out hacked code via software updates – installing malicious code onto customer devices that could be used to spy. This infected many significant organisations, from small businesses to government bodies.
Known as one of the earlier supply chain attacks, Target, a U.S. superstore retailer, was impacted in 2013. Cybercriminals exploited vulnerabilities in the retailer’s point of sale (POS) systems to retrieve 40 million customer credit and debit card information. The cost of this data breach has since cost the business nearly $300 million.
3. British Airways
In 2018, British Airways was unknowingly impacted by a code that harvested customer payment data using their website payment page. The code routed credit card information to an external domain. This is known as skimming, when payment data is unknowingly collected during the online purchase checkout process. Magecart is suspected to be responsible for this skimming attack, and approximately 380,000 customers had their personal and financial data stolen.
SMEs and supply chain attacks
Cybercriminals target large organisations due to the sheer volume of data they can exploit. But small and medium businesses are equally susceptible targets.
More than half (54%) of all U.K.-based SMEs experienced some form of cyber attack in 2022. Cybercriminals know that SMEs are more vulnerable as they might not have rigorous security credentials. Additionally, SMEs are often part of a larger supply chain, making them a great target.
How to protect your SME from supply chain attacks
Manage your cybersecurity first
Consider your cybersecurity status first. A basic cybersecurity certification, such as Cyber Essentials, will cover everything your business should do to protect itself from cyberattacks. Being certified can reduce cyber risk by up to 98.5%, and can help you with important steps like staff training and long-term cybersecurity support.
Check your suppliers
Request that your suppliers show evidence of cybersecurity management. A certification can be all they need to remain secure. More high-risk suppliers should have equally risk-resilient cybersecurity measures in place. If they don’t, this should raise your alarm bells.
You should collaborate with every business in your supply chain, and the supply chains you are within, to emphasise the importance of cybersecurity credentials. You can even make cybersecurity part of your contractual agreements, so there’s less chance of a vulnerability in your supply chain.
Implement an early warning system
A supply chain early warning system (EWS) can identify security threats in a supply chain using data. It analyses data and notifies the system administrator to suggest methods of mitigating the threat. An EWS reduces your reliance on human knowledge alone, and instead can autonomously detect threats. As types of attacks become increasingly more complex, this is a great method of covering all bases if it’s an attack you might not have encountered before.
A supply chain attack could happen to you
But it doesn’t have to be that way. By ensuring your organisation is as secure as possible, and obligating your suppliers to do the same, you’re more likely to deter and mitigate the risk of a supply chain attack against your SME. This way, your business’s figurative back windows are firmly locked, so no burglars can get in – through the front door or the back.