Everyone’s Part of a Supply Chain

Supply Chain Attacks In 2023

Malware Isn’t the Only Threat

Supply chain attacks are a growing problem for businesses across the globe.

According to a recent report, supply chain attacks caused more data breaches than standard malware in 2022. Similarly, Gartner found that 89% of companies have experienced a supplier risk event in the past five years. And the signs are this number will increase in the years to come.

Supply Chain Attacks VS Malware

Supply chain attacks affected 10 million people from 1,743 businesses in 2022. By contrast, traditional malware-based attacks impacted 4.3 million – less than half.

Professional services by numbers

The security landscape

The professional services industry is prone to attack. Cybercriminals target organisations three times a week, on average. Threat actors know there’s a lot on the line for their victims, which gives them an incentive to attack.

Why Do Cybercriminals Target Supply Chains?

For many cybercriminals, suppliers represent the weakest point in the target’s digital defences. Especially at the enterprise level.

Breaching an enterprise’s digital defences is tough. With substantial resources at their disposal, enterprises can afford to invest in the best cybersecurity tools and processes to keep their assets safe. But cybercriminals have learned that they don’t need to target a corporate giant directly to get what they want.

Suppliers and service providers can’t afford the same level of protection. By attacking the weakest link in a supply chain, cybercriminals can side-step the product or service provider’s defensive perimeter and gain access to their systems.

Supply chain attacks are particularly effective because of the implicit trust businesses place in their suppliers. Only 13% of UK businesses assess the cyber risks posed by their immediate suppliers, according to recent government data. And that figure drops to just 7% for the wider supply chain. Cybercriminals exploit this confidence to target richer pickings further downstream.

7 Types Of Supply Chain Attack to Watch Out For

Supply chain attacks can be as varied as they are devastating. Some involve inserting malicious code into a piece of software, while others aim to compromise legitimate websites. The first step to protecting yourself and your customers is to know more about the most common supply chain attacks and how they work.

  • 1. Compromised software tools.

    The hacker introduces vulnerabilities into your software development tools, infrastructure, or processes. This compromises any applications you build from them, putting customers at risk.

  • 2. Pre-installed malware.

    The hacker installs malware on your devices, which infects the downstream customer’s systems with malicious code when they try to connect to the company network.

  • 3. Corrupted firmware components.

    The hacker installs malicious code onto device firmware, granting them access to the target’s systems or network.

  • 4. Stolen certificates.

    The hacker steals official product certificates to distribute malicious applications under the guise of legitimate software products.

  • 5. Website builders.

    The hacker compromises your website via your website builder. For example, by installing redirect scripts that send visitors to a malicious website when they enter your URL.

  • 6. Watering hole attacks.

    The hacker identifies supplier websites that receive a lot of traffic from a target business or multiple businesses within a specific sector. Then, they insert malware into the watering hole site – a remote access trojan, for example – that exploits weaknesses in the target’s defences to infect their systems.

  • 7. Third-party data stores.

    The hacker infiltrates the target’s third-party data canter to steal sensitive business or customer information. For example, via a botnet.

How are Enterprises Managing the Threat?

Enterprises are Re-Evaluating their Options

High-profile incidents like the 2019-2020 SolarWinds attack demonstrate the catastrophic effect a successful supply chain attack can have. The perpetrators exploited a weakness in the company’s Orion software to infect over 18,000 systems worldwide, most notably the US Departments of State and Health. But amidst the damage and disruption, it also served as a wake-up call for enterprises on the dangers of an unsecured supply chain.

In response, enterprises are adopting measures to minimise their supply chain risks. This includes scrutinising their suppliers to identify any obvious deficiencies in their cybersecurity.

Raising Awareness
Among Suppliers

For today’s businesses, the defensive perimeter extends beyond their systems to encompass suppliers further up the supply chain.

All it takes is one weak link to compromise everyone else connected to it. To tackle this threat, enterprises are working with suppliers to increase awareness of cyber threats.

Robust cybersecurity is no longer a nice to have for suppliers, it’s a necessity. Enterprises expect you to have a minimum level of protection as standard (more on that shortly). They expect you to stay up to date with the latest threats and adapt your cybersecurity tools, processes, and policies accordingly.

Introducing More Stringent
RFP Cybersecurity
Requirements

Following NIST Best Practice Guidance

Enterprises are looking to government agencies and other authoritative sources to enhance cybersecurity across the supply chain. Chief among these is the Best Practices in Cyber Supply Chain Risk Management, created by the National Institute of Standards and Technology (NIST).

The document lays out three basic principles enterprises must follow to secure their supply chains:

Cybersecurity is more than a technology problem

There shouldn’t be any gap between digital and physical security

Build your defences on the principle that your systems will be breached

It also includes examples of key cybersecurity questions enterprises should ask suppliers and best practice advice for securing the supply chain. Not only is it an invaluable resource for enterprises, but it also provides vital guidance for suppliers who want to know how to meet today’s more stringent cybersecurity requirements.

Questions For Suppliers

Best Practices For Enterprises

Is your software/hardware process documented, repeatable, and measurable?

How do you stay updated on emerging vulnerabilities?

What controls are in place to manage and monitor your production processes?

What level of malware protection do you have in place?

What physical and digital access controls do you use?

How do you assure security throughout the product lifecycle?

How do you ensure upstream suppliers adhere to cybersecurity best practices?

Work with suppliers to address any vulnerabilities and security gaps.

Adopt a ‘one strike and you’re out’ policy with suppliers.

Obtain the source code for all purchased software.

Implement track and trace programmes to ascertain the provenance of all components and systems.

Automate manufacture and testing regimes to minimise tampering.

Provide legacy support for end-of-life products and platforms.

Run secure software lifecycle development programmes and training for engineers.

Suppliers Can’t Afford
To Rest On Their Laurels

When it comes to cybersecurity, the stakes are even higher for downstream suppliers than the enterprises they serve.

Unlike enterprises, few SMEs can absorb the financial and reputational impact of a successful cyberattack. This is especially true for suppliers who won’t get a second chance to prove themselves to their clients as more businesses adopt the ‘one strike and you’re out’ rule.

So, what can you do to protect yourself and your clients from supply chain attacks?

Get your House In Order

Good cyber hygiene starts at home. While you can’t control what other businesses in the supply chain are doing, you can ensure you have the right cybersecurity controls, processes, and policies in place. This includes providing regular training opportunities for staff to keep them up to date on the latest cyber threats and best practices.

Remember, robust cybersecurity doesn’t have to cost the earth. The UK government’s Cyber Essentials scheme provides a simple and cost-effective framework to improve your cybersecurity posture.

Cyber essentials measures your business’s cybersecurity against five key criteria. These are:

1. Malware protection

2. Network firewalls

3. Secure configuration

4. Access control

5. System update management

Adopting these measures can reduce your cyber risk by up to 98.5% – including those that emanate from the supply chain. But you shouldn’t stop at certification. For the best protection, consider activating data encryption and multi-factor authentication on all company devices.

Additionally, it’s important to enshrine your tools and processes in a comprehensive cybersecurity policy. Supply chain attacks often work by exploiting the implicit trust businesses place in suppliers. A company policy ensures staff know how to spot potential threats and what to do about them.

Encourage Partners To Review their Security

Once you’ve organised your defences, you can focus on addressing potential weaknesses elsewhere in the supply chain.Start an open discussion with your fellow suppliers, providers, and vendors. This gives everyone a forum to share their security tips and experiences, which allows you to spot issues quickly and builds trust. Equally important, a collaborative approach helps you develop consistent security standards for everyone in the supply chain.

Adopt NCSC Best Practices

The National Cybersecurity Centre (NCSC) is a government organisation that provides best-practice guidance and support for businesses. To combat the increase in supply chain attacks, the NCSC released a guide to supply chain security in 2018.

This document breaks supply chain security down into 12 basic principles, making it an ideal starting point to improve supply chain security.

NCSC’s 12 Principles Of Supply Chain Security:

1. Understand what you need to protect and why

2. Know who your suppliers are and what their security looks like

3. Understand your supply chain risks

4.Communicate your security needs to your suppliers

5. Set and communicate minimum security requirements

6. Build security considerations into your contracting process, and ensure suppliers do the same

7. Meet your security responsibilities (as a supplier and consumer)

8. Raise security awareness in your supply chain

9. Provide support for security incidents

10. Build assurance activities into your supply chain management process

11. Encourage continuous cybersecurity improvement in your supply chain

12. Build trust with suppliers

Minimise your Supply Chain Risks With CyberSmart

Supply chain attacks are an intimidating proposition. You can’t dictate how other businesses approach security, but with the right support, you can minimise your risks.

Active Protect from CyberSmart helps you secure your business without a dedicated in-house team or expensive tools.
Active Protect provides around-the-clock monitoring and protection for every device that touches your data, instantly
identifying breaches and giving you jargon-free recommendations to address them.