How to encourage continuous security improvement in your supply chain

continuous security improvement supply chain

Managing and monitoring cybersecurity across an entire supply chain is a challenging task. This is especially true if you’re an SME. However, knowledge and prevention strategies can greatly reduce the risk of a successful supply-chain attack. And, this can be extended to the suppliers and third parties in your supply chain.

Ultimately, the best way to improve your cybersecurity is to create a cohesive, collaborative environment that helps drive continuous security improvement internally and across your supply chain. We’ll explore how to do exactly that in this blog.

Why worry about supply chain attacks?

Supply chain attacks are nothing new but, now more than ever, businesses are accelerating their efforts to prevent them. The National Cyber Security Centre (NCSC) issued new guidance following the recent rise in supply chain attacks, revealing that only one in ten businesses review the risks posed by their immediate suppliers. Similarly, 44% of organisations say they will substantially increase their year-over-year spending on supply chain cybersecurity in the coming year. 

So there’s never been a better time to work with your suppliers to identify risks and ensure appropriate security measures are in place. To help you out, here are five simple steps.

5 steps to encourage continuous security improvement for supply chains

1. Understand the basics of cybersecurity

Begin by looking at your organisation. In today’s digital world, the bare minimum of cybersecurity isn’t enough. SMEs are often limited by knowledge and budget, but luckily, there are many accessible solutions to help improve your cybersecurity credentials. Government-backed schemes like Cyber Essentials require you to meet specific cybersecurity standards. By achieving accreditation, you’ll ensure you’re covering the basics. And, with this knowledge, you’re better prepared to assess your supply chain. 

Want to know more about the risks posed by supply chains? Read our guide. 

2. Conduct a risk assessment 

Your supply chain might be extensive with many moving parts and people. Equally, it could be very small. No matter the size, take the time to conduct a thorough cybersecurity risk assessment of your supply chain. This might be asking suppliers whether they have cybersecurity accreditations, such as a Cyber Essentials certification, that help them stay secure and compliant. 

Look for specific risk factors in your supply chain. For example, payment processing software might be more susceptible to skimming attacks. Does your provider have cybersecurity measures to mitigate against this?  It’s happened to even established and seemingly secure businesses, so it could happen to your providers. 

3. Define contractual agreements

If you want to ensure everyone you work with takes cybersecurity seriously, the simplest step is to write cybersecurity requirements into your contracts with third parties and suppliers. This will allow you to define your expectations for
cybersecurity and procedures for communicating and reporting incidents – making everybody safer in the process. 

4. Encourage cybersecurity training

Certifications and contractual agreements can’t totally override human error. You already know your employees should receive cybersecurity training, but do your supply chain contacts also offer it to their employees? Consider making your partners aware of platforms to enhance employees’ cybersecurity training. While this is ultimately your suppliers’ responsibility, open communication about what’s available is beneficial and shows you prioritise cybersecurity.

5. Collaborate and share intelligence

Staying up to date with the latest cybersecurity news is a great method of staying aware of potential risks. Not all SMEs will have dedicated cybersecurity professionals to hand, so following news sources or trusted cybersecurity blogs can help you keep your knowledge up to date. 

It’s wise to share your findings with partners in your supply chain. This might be through a monthly email chain, communication channel like Microsoft Teams, or within your regular meetings. Open communication is key to improving collaboration with your supply chain and demonstrates a desire for a unified effort towards increased cybersecurity. 

Conclusion

The importance of supply chain cybersecurity can’t be understated in today’s landscape. Ian McCormack, Deputy Director for Government Cyber Resilience at the National Cyber Security Centre emphasises this in a recent statement;

“Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.”

Luckily, the road to improved and continuous supply chain security isn’t complex. By taking simple measures, such as a cybersecurity certification and collaborating closely with suppliers, your business will become more secure.

Supply chain CTA 2

What SMEs must know about supply-chain attacks

supply chain attack sme

If a thief wants to enter a house, it’s unlikely they’ll choose to ring the doorbell. They’re going to climb through a half-opened window around the back. And if they’re careful enough, the homeowner is none the wiser.

The same principle applies in the cybersecurity landscape. Supply chain attacks have existed for some time, and are an infamous method of finding cybersecurity vulnerabilities to target seemingly secure businesses. Gartner predicts that by 2025, 45% of organisations globally will experience an attack on their software supply chain. Here’s how they work and what you need to know about them.

What is a supply chain attack?

A supply chain attack is when a cyber criminal exploits a vulnerability in a supply chain. Many businesses today are cybersecurity-savvy. The best prepared will have well-intentioned cybersecurity policies and regulations in place to manage their cybersecurity and keep problems at bay. 

But most businesses don’t operate within silos. Your organisation probably relies on other businesses as part of your supply chain, or you form a part of another supply chain. This creates complexity when managing security credentials. Can you be assured that every business within your supply chain, from a payment processing provider to a manufacturer, is completely secure? 

Most organisations will manage compliance across their people, software, and processes, but this is difficult to extend to other points in the supply chain. This is the exact vulnerability criminals can exploit. 

Want to know more about the risks posed by supply chains? Check out our guide.

Examples of supply chain attacks

1. SolarWinds

No supply chain attack discussion can ignore the SolarWinds supply chain attack. SolarWinds is a major software company that specialises in network and infrastructure monitoring tools. In 2019, threat actors gained unauthorised access to SolarWind’s networks, and in the following months injected malicious code into their software, Orion. Later in 2020, SolarWinds unknowingly sent out hacked code via software updates – installing malicious code onto customer devices that could be used to spy. This infected many significant organisations, from small businesses to government bodies. 

2. Target 

Known as one of the earlier supply chain attacks, Target, a U.S. superstore retailer, was impacted in 2013. Cybercriminals exploited vulnerabilities in the retailer’s point of sale (POS) systems to retrieve 40 million customer credit and debit card information. The cost of this data breach has since cost the business nearly $300 million

3. British Airways

In 2018, British Airways was unknowingly impacted by a code that harvested customer payment data using their website payment page. The code routed credit card information to an external domain. This is known as skimming, when payment data is unknowingly collected during the online purchase checkout process. Magecart is suspected to be responsible for this skimming attack, and approximately 380,000 customers had their personal and financial data stolen. 

SMEs and supply chain attacks

Cybercriminals target large organisations due to the sheer volume of data they can exploit. But small and medium businesses are equally susceptible targets.

More than half (54%) of all U.K.-based SMEs experienced some form of cyber attack in 2022. Cybercriminals know that SMEs are more vulnerable as they might not have rigorous security credentials. Additionally, SMEs are often part of a larger supply chain, making them a great target. 

How to protect your SME from supply chain attacks

Manage your cybersecurity first

Consider your cybersecurity status first. A basic cybersecurity certification, such as Cyber Essentials, will cover everything your business should do to protect itself from cyberattacks. Being certified can reduce cyber risk by up to 98.5%, and can help you with important steps like staff training and long-term cybersecurity support. 

Check your suppliers

Request that your suppliers show evidence of cybersecurity management. A certification can be all they need to remain secure. More high-risk suppliers should have equally risk-resilient cybersecurity measures in place. If they don’t, this should raise your alarm bells.

You should collaborate with every business in your supply chain, and the supply chains you are within, to emphasise the importance of cybersecurity credentials. You can even make cybersecurity part of your contractual agreements, so there’s less chance of a vulnerability in your supply chain.

Implement an early warning system

A supply chain early warning system (EWS) can identify security threats in a supply chain using data. It analyses data and notifies the system administrator to suggest methods of mitigating the threat. An EWS reduces your reliance on human knowledge alone, and instead can autonomously detect threats. As types of attacks become increasingly more complex, this is a great method of covering all bases if it’s an attack you might not have encountered before. 

A supply chain attack could happen to you

But it doesn’t have to be that way. By ensuring your organisation is as secure as possible, and obligating your suppliers to do the same, you’re more likely to deter and mitigate the risk of a supply chain attack against your SME. This way, your business’s figurative back windows are firmly locked, so no burglars can get in – through the front door or the back.

Supply chain CTA 2

4 reasons why hackers attack the supply chain

supply chain hack

You’re a hacker ready to launch an attack. What do you target? 

  • A: A single person or company that’ll get you a sizeable reward, if the attack is successful?
  • B: A supply chain that could get you access to hundreds, if not thousands, of companies and their data, if the attack is successful?

Supply chain attacks increased 633%, by 88,000 instances, in 2022. And it’s easy to see why.

With this increased risk, it’s good to understand what supply chain hacks are, why they happen, and how to protect your business from them as much as possible. 

What are supply chain hacks?

A supply chain hack is a type of cyberattack that targets organisations by exploiting weak links in third-party software, hardware, or services. In these cases, you could have very strong cybersecurity defences but suffer an attack because a supplier’s software has a vulnerability they weren’t aware of. Hackers use this to access your networks and data undetected and cause damage. 

Because these attacks are through legitimate supplier software/hardware, they can be more difficult to spot and stop. In the high-profile SolarWinds attack, it took months for professionals to understand how cyber criminals were gaining unauthorised access to networks and data.  

Why hackers attack supply chains

1. Collateral damage

By accessing a company that provides software or services to other companies, hackers can harm multiple targets in one hit. Instead of putting effort into attacking one company, they could potentially impact hundreds, if not thousands. Take the recent Otka attack as an example. Otka has 14,000 customers, and in one five-day attack, hackers impacted 366 of them. 

This kind of attack doesn’t just cause immediate damage like data loss. It also causes long-term reputational challenges for suppliers. As supply chains rely on trust, customers lose confidence in their suppliers’ abilities to protect themselves, and therefore their customers, from cyber threats. 

2. Kudos 

Hacking is a skill – albeit a dangerous one in the wrong hands. And hackers have egos. If one can successfully infiltrate supply chains, access customer data, install malware, etc., on a large scale and cause widespread damage, they can brag about it. The bigger the attack, the better. 

3. Financial gain

A supply chain is a perfect place for a hacker to compromise cash flow and payment systems between multiple companies to gain access to sensitive financial information. They can divert payments, demand ransom, and leak/sell sensitive data on a large scale. The more money they can make, the more worthwhile the hack is.

4. Disruption and theft

As is the case with other types of cyberattacks, supply chain hacks cause a lot of disruption. Because so much data is available for exploitation in supply chains, cybercriminals attack them to get hold of vast amounts of personal data, intellectual property, and confidential business information. This…

  • severely disrupts and even stops operations
  • causes financial losses
  • damages trust
  • injures brand reputation

Safeguard your business against supply chain hacks

Few companies take steps to formally review risks in their supply chains – around one in ten businesses review the risks posed by their immediate (13%) and wider suppliers (7%). 

You need to work with suppliers and feel confident that they work to the same high standards as you. Supply chain attacks pose a very real threat, but don’t let it get to you. 

There are some simple and affordable ways to give yourself (and make sure your suppliers have) a good amount of protection against threats. 

One way is to get a Cyber Essentials certification. This is a government-backed scheme to help businesses protect themselves in five core areas:

  • Secure configuration
  • Malware protection
  • Network firewalls
  • User access controls
  • Security update management

Applying the five principles to how you work can reduce your cyber risk by 98.5% and give you the confidence and understanding you need to speak to your suppliers about their security practices.

Want to know more about the threat posed by supply chain attacks and learn how to protect your business? Check out our new guide for everything you need to know.

Supply chain CTA

What is a supply chain early warning system and how does it improve your cybersecurity?

supply chain early warning

89% of businesses have experienced a supply chain risk event in the past five years. Discover how a supply chain early warning system can help you reduce risk and stay one step ahead.

What is a supply chain early warning system?

A supply chain early warning system (EWS) identifies potential security threats in your supply chain, based on a combination of internal and external data. After analysing the data, the system notifies decision-makers and suggests measures to mitigate the threat or minimise the impact. Together with your cybersecurity tools, processes, and policies, it helps to protect your business against third-party threats.

In the past, supply chain early warning systems focussed on far-reaching external factors that could disrupt business operations. For example, natural disasters, critical component shortages, or industrial action. But, due to the growing threat of supply chain attacks, today’s systems play a crucial role in protecting businesses against cybercriminals.

Supply chain attacks increased by 633% in 2022.

– Sonatype, Stats of the Software Supply Chain

5 supply chain cybersecurity risks an early warning system detects

Supply chain attacks surpassed traditional malware-based exploits by more than 40% in 2022, according to the Identity Theft Resource Center’s annual Data Breach Report. In the past twelve months, supply chain attacks impacted over 10 million people representing 1,734 entities.

What makes them so difficult to detect, let alone stop, is the diverse array of delivery methods. Of the numerous supply chain risks to be aware of, these are among the most common.

Worried about the threat posed by supply chain attacks? Read our guide to protecting your business.

1. Watering hole attacks

The hacker inserts malicious software into a website that receives a lot of traffic from the target business or businesses. When someone visits the compromised site, the malware infiltrates the visitor’s defences to gain access to their systems or data. Watering hole attacks are difficult to detect and boast a higher-than-average success rate.

2. Compromised software development tools

The hacker compromises a supplier’s software development tools, infrastructure, or processes. This leaves any resulting applications built from them vulnerable to zero-day security exploits, putting end-users at risk.

3. Compromised website builders

The hacker compromises a supplier’s website via its website builder. Typically, the hacker installs malicious software or a redirect script into the target site, which sends users to a malicious clone of the website when they visit the URL.

4. Stolen product certificates

The hacker steals an official product certificate, which enables them to distribute malicious software and applications under the guise of legitimate products. 

5. Third-party data store breaches

The hacker infiltrates a third-party data centre, for example, via a botnet. Once inside, they can steal sensitive business or customer information which they can then:

  • Sell for profit on the dark web
  • Ransom back to the victim
  • Release to the public
  • Delete or corrupt

How do early warning systems protect you against supply chain threats?

Detect and respond to network vulnerabilities

Most businesses only realise a hacker has compromised their network when they spot suspicious activity. For example, when a network client scans the internet. But at this point, the damage may already be done. An early warning system proactively monitors your network for vulnerabilities and malware, giving you time to repair any breaches before hackers can exploit them.  

Identify and assess cyber risks

An effective supply chain early warning system raises your awareness of external cybersecurity threats that may impact your business. When your system identifies a potentially harmful event or attacker, it notifies relevant stakeholders. This helps you:

  • Quickly spot and assess risks
  • Proactively monitor emerging threats or incidents
  • Prepare your defences to minimise or mitigate the impact on your business

Raise stakeholder awareness

By keeping stakeholders informed of current and emerging threats, early warning systems help to raise awareness of your supply chain risks. Over time, you’ll understand what to look out for and where to invest your cybersecurity budget to protect against online threats. 

Forewarned is forearmed

A supply chain early warning system adds another layer of defence to your cybersecurity. It gives you a clear view of your risk landscape, so you can detect and respond to online threats more effectively.

However, you don’t necessarily need a specialist tool to dramatically improve your supply chain security. Cyber Essentials certification can help you get the basics in place. Meanwhile, a generalist security tool like CyberSmart Active Protect can give you early warning of vulnerabilities within your own organisation, mitigating many of the risks your business faces. Likewise, following the NCSC’s guidance on mapping your supply chain can also help better protect your organisation.

You can’t always control the security of your suppliers or partners, but by getting the fundamentals down, you can minimise your risk.

Supply chain CTA 3


What is a watering hole attack and how can you prevent them?

Watering hole attack

In 2018, the Cambodian Ministry of Defence and several Vietnamese news outlets fell victim to a sophisticated cyberattack targeting multiple high-profile websites across Southeast Asia.

The attack went undetected for months, during which time anyone who visited the compromised sites was redirected to a page controlled by the hackers. From there, the hackers were free to distribute malware to the unfortunate victims. The notorious OceanLotus threat group claimed responsibility.

Known as a watering hole attack, OceanLotus was by no means the first group to target places people visit rather than the individuals themselves. In this article, we explain what a watering hole attack is, how they work, and how you can protect your business against them.

What is a watering hole attack?

Watering hole attacks are a type of third-party or supply chain attack. The hacker aims to install malicious software on the victim’s computer or gain access to their network by compromising websites they visit frequently. The consequences can be severe, ranging from theft of sensitive customer information to making the victim’s computer part of a botnet.

The name “watering hole attack” derives from nature. Over the aeons, lions and other predators have adapted their hunting strategies to conserve energy. Instead of chasing prey across the scorching African savanna, they simply wait for the zebra or gazelle to visit a watering hole and pounce while it’s busy drinking. 

Cybercriminals typically use watering hole attacks to target large, well-protected organisations. Either by compromising an employee’s computer or a partner business further up the supply chain. 

Watering hole attacks are difficult to detect because they harness the implicit trust people place in well-known organisations and institutions. And, because many successful attacks target exploits in browsers or systems, they have a high success rate. 

Worried about the threat posed by supply chain attacks. Check out our guide to protecting your business.

How do watering hole attacks work?

The average watering hole attack unfolds over three stages. 

1. Reconnaissance

The hacker gathers intelligence about the target’s browsing habits. This can include a mix of publicly available information and illegally obtained private data. They can then use this information to create a shortlist of suitable sites to host the attack. Usually, these are sites with lower-than-average security.

2. Planning

Once the hacker identifies the most suitable hosting domains, it’s time to decide how to launch the attack. The two most common options are to:

  1. Probe the shortlisted hosting domains for any potential weaknesses the criminals can exploit to compromise the legitimate website.
  2. Create a spoofed version or clone of a shortlisted hosting site that contains malware.

Some cybercriminals may combine the two approaches to increase their odds of success. In this scenario, the hacker compromises a legitimate website and inserts a redirect code that sends victims to the fake site where the payload is delivered.

3. Design and execution

The hacker exploits any weaknesses to insert malicious code into the watering hole site or cloned website. Typically, this involves manipulating web technologies like HTML and JavaScript or using exploit kits that target specific IP addresses. When someone visits the compromised domain, their browser automatically downloads the malicious software. 

In the case of drive-by attacks, the hacker capitalises on the implicit trust users have in well-known websites by hiding malware in download buttons or links. When the victim clicks on the link, they inadvertently download the malicious software – often without even realising it. 

Remote access trojans (RATs) are a popular choice of malware among cybercriminals, as this grants access to the victim’s computer or systems.

Watering hole attack

*Image: Supply chain security guidance, National Cybersecurity Centre

How to prevent watering hole attacks

The first step is to familiarise yourself with cybersecurity best practices. Simple measures, like installing reliable antivirus software and upgrading your browser protection, can significantly reduce your cyber risk.

We recommend adopting these four measures, as a minimum.

Stay on top of system updates

Many cyberattacks work by exploiting unpatched vulnerabilities in operating systems, browsers, and software. And watering hole attacks are no different. By installing the latest security updates as soon as they become available, you can plug these gaps before cybercriminals have a chance to use them.

Regularly review and test your security

Many cybercriminals bank on the fact that most people think their antivirus software tackles threats for them. We recommend that you review your security tools, processes, and policies at least once a year to ensure you’re protected against the latest threats.

Educate and train your staff

The cybersecurity landscape is dynamic. Cybercriminals are constantly evolving their tactics and new threats emerge all the time. Then, there’s the human factor. According to Stanford University research, human error causes 85% of data breaches. Run regular training workshops to teach staff to identify suspicious activity, spot potential threats, and respond to cyber-attacks.

Get Cyber Essentials certified

Cyber Essentials is a government-backed scheme that provides a simple framework to help businesses protect against cyber-attacks. It’s separated into five technical controls:

  • Secure configuration
  • Malware protection
  • Network firewalls
  • User access controls
  • Security update management

Cyber Essentials is a more affordable option than advanced certifications, like ISO 27001. It’s also faster and less intensive, so it’s a good place to start. With the right guidance and support, you can become certified in just three days. This makes it the perfect solution for SMEs.

For more advanced recommendations, read the National Cybersecurity Centre’s (NCSC) 12 principles of supply chain security.

It’s a jungle out there

Watering hole attacks are no longer a niche threat. Forbes named them as one of the top ten cybersecurity threats of 2022, reflecting the increase in supply chain attacks in recent years. 

The key thing to remember is that you’re not powerless. By adopting the measures we’ve recommended here, you can minimise your cyber risks and ensure you don’t fall prey to digital predators.

Supply chain CTA 2