What do you think of when you imagine a typical cyberattack?
If you’re like most of us, then chances are you immediately thought of a high-profile attack on a single organisation, say, the Twitter or Mariott breaches in 2020.
In reality, cybercriminals rarely enter through the front door. Here’s why supply chains pose the greatest risk to your cybersecurity.
What do we mean by supply chains?
As a small business, you’re almost certainly part of a supply chain. Depending on what your company does, you could be a supplier, vendor, distributor or retailer. Your part in the supply chain isn’t the important thing. What’s important is the symbiotic relationship this gives you with other businesses in the chain.
Think of it as akin to the way different species exist in nature. This relationship can be mutually beneficial; bees need the pollen from flowers for food and energy, flowers need bees for pollination. Or, the relationship can be destructive, as the increasing number of zoonotic diseases (such as COVID-19 and SARs) passed from animals to humans proves. The same is true of the ties between businesses.
Why do supply chains pose a cybersecurity risk?
When business leaders evaluate their cybersecurity, most know the first place to look is within their organisation – at their own people, systems and infrastructure. Unfortunately, that’s no longer enough.
According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself. Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult.
However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it. This makes SMEs a prime target for cybercriminals with an eye on big enterprises.
A great example of this is the recent SolarWinds attack. By breaching SolarWinds (an IT infrastructure provider), cybercriminals were able to gain access to some of the world’s largest tech companies, including Microsoft, Intel and Cisco.
How to protect your business
So, if supply chains pose such a risk to your cybersecurity, what can you do about it? Small suppliers can’t help being targeted by cybercriminals. And large enterprises can’t control what everyone in their supply chain is doing all of the time.
Fortunately, there are a few things you can do to reduce the risks.
Get your cybersecurity in order
Although you can’t always control what everybody else in your supply chain is doing, good cyber hygiene begins at home. This means that your priority should be ensuring your own cybersecurity is up to scratch.
A great place to start is by getting Cyber Essentials certified. The government-backed certification scheme assesses your business against five key cybersecurity controls:
- Is your internet connection secure?
- Are the most secure settings switched on for every company device?
- Do you have full control over who is accessing your data and services?
- Do you have adequate protection against viruses and malware?
- Are devices and software updated with the latest versions?
By ensuring these criteria are in place, you can protect your organisation against 98.5% of cybersecurity threats – including most of those that are likely to come through your supply chain.
But don’t stop at certification. Consider using encryption and two-factor authentication on all company devices and implement a strong password policy and enforce it.
Alongside this, put in place an easy-to-understand cybersecurity policy and make sure everyone within your business has access to it. More often than not, supply chain breaches come from staff acting in good faith. If your people don’t know which behaviours are harmful or how to spot a threat, then your business will always have a chink in its armour. Education really is the key.
Talk to your supplier and partners
The greatest defence against supply chain attacks is trust between partners. So talk to your suppliers and partners about their cybersecurity practices and share experiences and advice.
This may sound like something from a business self-help book, but poor communication or reluctance to admit a breach has happened can often turn a minor attack into a disaster. By fostering trust and a willingness to communicate across the supply chain, you’re effectively creating an early-warning system for your business. This can be vital in halting or at least containing the breach.
Aim to work with businesses that are Cyber Essentials certified
Of course, building trust in any context takes time. And time isn’t always something you have when working with new partners or suppliers. So, an alternative is to insist on a minimum security standard for any business you work with.
Cyber Essentials certification is tailor-made for this. By choosing to work only with businesses that display the Cyber Essentials logo, you ensure everyone you rely on is working to the same security standards, minimising the likelihood of a breach. How you approach this is up to you. Some businesses include it as a standard contractual clause, others have more informal agreements in place. What matters is the assurance that your partners and suppliers take their cybersecurity responsibilities as seriously as you do.
Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.