You’re a hacker ready to launch an attack. What do you target? 

• A: A single person or company that’ll get you a sizeable reward, if the attack is successful?
• B: A supply chain that could get you access to hundreds, if not thousands, of companies and their data, if the attack is successful?

Supply chain attacks increased 633%, by 88,000 instances, in 2022. And it’s easy to see why.

With this increased risk, it’s good to understand what supply chain hacks are, why they happen, and how to protect your business from them as much as possible. 

What are supply chain hacks?

A supply chain hack is a type of cyberattack that targets organisations by exploiting weak links in third-party software, hardware, or services. In these cases, you could have very strong cybersecurity defences but suffer an attack because a supplier’s software has a vulnerability they weren’t aware of. Hackers use this to access your networks and data undetected and cause damage. 

Because these attacks are through legitimate supplier software/hardware, they can be more difficult to spot and stop. In the high-profile SolarWinds attack, it took months for professionals to understand how cyber criminals were gaining unauthorised access to networks and data.  

Why hackers attack supply chains

1. Collateral damage

By accessing a company that provides software or services to other companies, hackers can harm multiple targets in one hit. Instead of putting effort into attacking one company, they could potentially impact hundreds, if not thousands. Take the recent Otka attack as an example. Otka has 14,000 customers, and in one five-day attack, hackers impacted 366 of them. 

This kind of attack doesn’t just cause immediate damage like data loss. It also causes long-term reputational challenges for suppliers. As supply chains rely on trust, customers lose confidence in their suppliers’ abilities to protect themselves, and therefore their customers, from cyber threats. 

2. Kudos 

Hacking is a skill – albeit a dangerous one in the wrong hands. And hackers have egos. If one can successfully infiltrate supply chains, access customer data, install malware, etc., on a large scale and cause widespread damage, they can brag about it. The bigger the attack, the better. 

3. Financial gain

A supply chain is a perfect place for a hacker to compromise cash flow and payment systems between multiple companies to gain access to sensitive financial information. They can divert payments, demand ransom, and leak/sell sensitive data on a large scale. The more money they can make, the more worthwhile the hack is.

4. Disruption and theft

As is the case with other types of cyberattacks, supply chain hacks cause a lot of disruption. Because so much data is available for exploitation in supply chains, cybercriminals attack them to get hold of vast amounts of personal data, intellectual property, and confidential business information. This…

• severely disrupts and even stops operations
• causes financial losses
• damages trust
• injures brand reputation

Safeguard your business against supply chain hacks

Few companies take steps to formally review risks in their supply chains – around one in ten businesses review the risks posed by their immediate (13%) and wider suppliers (7%). 

You need to work with suppliers and feel confident that they work to the same high standards as you. Supply chain attacks pose a very real threat, but don’t let it get to you. 

There are some simple and affordable ways to give yourself (and make sure your suppliers have) a good amount of protection against threats. 

One way is to get a Cyber Essentials certification. This is a government-backed scheme to help businesses protect themselves in five core areas:

• Secure configuration
• Malware protection
• Network firewalls
• User access controls
• Security update management

Applying the five principles to how you work can reduce your cyber risk by 98.5% and give you the confidence and understanding you need to speak to your suppliers about their security practices.

Want to know more about the threat posed by supply chain attacks and learn how to protect your business? Check out our new guide for everything you need to know.

As attendees of our event CyberSmart Live! will know, one of the hottest topics within the cybersecurity industry at the moment is the proposed regulatory changes for managed service providers. The Department for Science, Innovation and Technology (DSIT) is planning changes to the scope of its Network & Information Systems (NIS) regulations to include MSPS. 

So, to help you understand whether your business is affected and what you need to do, here’s a quick summary of the potential changes.

What are the changes? 

Under the proposed framework, some MSPs (more on that later) will have a legal duty to:

• Register with the Information Commissioner’s Office (ICO)
• Take steps to secure their networks and information systems
• Minimise the impact of incidents on their networks and information systems
• Report incidents to the ICO

Why does this only apply to some MSPs?

The regulations don’t apply to small and micro providers. To qualify, your business must: 

• Employ more than 50 staff
• Have a turnover of more than €10 million per year

On top of this, only MSPs who meet the criteria of a digital service provider (DSP) under NIS regulations need to register with the ICO. NIS defines a DSP as “providing online marketplace services, cloud computing services, online search engine services or managed services.”

What are the changes to NIS regulations for? 

Cybercriminals are targeting MSPs with increasing regularity. The risk has grown so severe that security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – felt moved to issue an official warning in 2022. 

MSPs are so attractive to hackers because they’re usually part of a supply chain and have access to clients’ networks and IT environments. And, to add the icing on the cake for any cybercriminal, MSPs typically have access to large amounts of sensitive data – everything from financial information to breakdowns of customers’ security. 

We’ve seen countless examples of attacks on MSPs that lead to a huge breach across their entire client base. The NIS regulations are an answer to this. The proposed changes represent a real attempt by DSIT better to protect MSPs and their customers from the growing threat. 

When are the regulations due to come into force?

As of 13th April 2023, the Government has confirmed that it will go ahead with the proposed reforms to amend the NIS Regulations. So, we’re expecting to see the changes come into force sometime in 2024. Although, it should be noted that this is subject to the government finding “a suitable legislative vehicle”.

Is there anything else you should know?

At this point, you’ve likely got some further questions about the proposed changes. Unfortunately, we don’t have space to cover everything in this blog. But, for more information, we recommend checking out our handy set of FAQs on the regulations. You should find everything you need to know to prepare you for the changes.

Here is a follow up video we did with the Department for Science, Innovation and Technology that goes into further detail on the proposed NIS regulations for MSPs.

Times are tough for SMEs, with many facing tough financial decisions. So, to help out, we’ve put together a step-by-step guide to cybersecurity on a budget. Read it here.

According to security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – Managed Service Providers (MSPs) are increasingly at risk of cyberattacks. But why? What makes MSPs such an enticing target for the bad guys? And, more importantly, what can MSPs do to protect themselves and their customers? 

Why are MSPs being targeted? 

Upon first hearing, it might sound odd that cybercriminals are targeting, and often successfully attacking, MSPs. We think of MSPs as IT and cybersecurity experts with good defences, so surely there are more tempting targets?

Unfortunately, this is only partially accurate. Although it’s true that many MSPs do have pretty robust cyber defences, there’s another reason they get cybercriminals champing at the bit.

MSPs are so attractive to hackers because they can typically remotely access clients’ networks and IT environments. And, that’s before we mention how much data the average MSP has access to – everything from financial information to breakdowns of customers’ security. 

In short, MSPs are being targeted for the same reason as supply chains. Successfully breaching an MSP means cybercriminals gain access to much more than the initial target. It could lead to ‘follow-on’ activity across the MSP’s whole customer base.

In other words, it’s a huge win for the bad guys. And cybercriminals are very obviously aware of that fact. According to new research by N-able, 90% of MSPs suffered a successful attack in the last 18 months. The study also found that the number of attacks prevented by MSPs almost doubled during the same period.

What are the consequences of a breach?

The impact of a successful attack on an MSP can be severe. The best way to think about it is to split the consequences into two categories – direct and indirect. Let’s deal with direct first.

Perhaps the most obvious impact of a breach is the disruption it could cause an MSP. Your business could be hit with a lengthy clean-up operation, systems downtime, and a big dent in staff morale. What’s more, depending on the kind of attack, there may be a financial aspect to the disruption.

A ransomware attack could lead to your business having to make a hefty payout. Meanwhile, a serious malware attack, with a long period of systems outage, could lead to you haemorrhaging revenue.

Likewise, the reputational damage to any MSP successfully breached could be grave. Most MSPs pride themselves on their strong security and market themselves thus to customers. So the news of an attack could seriously weaken customer trust, leading to a PR nightmare and potential loss of revenue.

We’ve dealt with the direct consequences, let’s move on to indirect. As we mentioned earlier, the major reason why cybercriminals are targeting MSPs is due to their customer base. And it’s your customers who could be the most affected by an attack.

A real-world example of this is the REvil ransomware attack on Kaseya, the MSP software provider. The breach spread to dozens of MSPs and over 1,500 of their customers, illustrating just how fast an attack could get out of control.

What can MSPs do to protect themselves and their customers? 

We’ve painted a pretty terrifying portrait so far. However, just because the consequences can be dire, it doesn’t mean there aren’t things you can do to protect your business and customers. Here are a few of the most important.

Set up multi-factor authentication (MFA)

MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user. 

MFA is also a sure-fire way to protect your business against cyberattacks. Passwords alone are vulnerable to data leaks and brute-force attacks. MFA, on the other hand, is very tricky for even the most sophisticated hackers to crack. 

Back up your systems and data

Backing up your systems and data can provide you with a vital failsafe after an attack. In some cases, it can even help you avoid having to pay a ransom. And, when it comes to what to back up, use this simple rule of thumb: ‘anything you don’t want to lose, back up’.

For more on how to do it, read this.

Segregate networks 

Both you and your customers should segment networks and systems as much as possible. What do we mean by segment? Well, one example is to never use admin credentials across multiple customers or systems.

Another is to ensure that no one has access or privileges beyond what they need to do their job. That might sound harsh but, in the event of an attack, it’ll allow you to isolate affected systems, customers, or accounts.

Train staff

At CyberSmart, we’re constantly pushing the importance of training. After all, if your staff don’t know which security behaviours are harmful or don’t know the warning signs of an attack, they’ll struggle to protect themselves or your business.

Training can fix this. And it’s probably the single most important thing you can do as a business. Find out more, here. 

Develop incident response plans

A successful attack on your business isn’t inevitable. Nevertheless, statistically, it is likely. So you need a coherent, easy-to-action response plan, in case the worst does happen.

You’ll also need to encourage or help your customers to develop their own. Currently, just 4% of MSPs report that all their clients have an incident response plan. And, this means thousands of weak links across the IT sector. 

Regularly patch software

Patching or updating any software you use, so that it doesn’t have easily exploited weak points, is incredibly simple but very important. Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated. Applying patches released by the software provider can fix this.

Think of it as being like fixing a puncture. You apply the patch so no air can leak out. Updating your software effectively does the same thing, giving you air-tight cybersecurity. 

The best part? It won’t take you anywhere near as long as fixing a puncture, just a couple of minutes each month. 

Map your supply chain risks

Last of all, understand your supply chain risks. Assuming you’ve locked down your own cybersecurity, identify who among your customers or suppliers could pose a risk. Alongside this, talk to your customers and partners about their cybersecurity. The best defence against threats is a unified approach and common strategy.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.