A cyberattack in your supply chain can compromise confidential data, resulting in reputational damage, a loss of customers, and financial harm to your business.
With the ongoing occurrence and increase in supply chain cyberattacks, how prepared is your business, and how secure is your supply chain?
During the last 12 months, supply chains have been vulnerable to many cyberattacks. According to the State of the Software Supply Chain 2020 Report, supply chain attacks grew 420% in just 12 months.
In this post we’ll explore:
What is a supply chain attack
Types of supply chain attacks
How to prevent supply chain attacks
What is a supply chain attack?
A supply chain attack happens when a business experiences a compromise through a vulnerability in its supply chain. Complex, geographically dispersed, and interconnected supply chain networks increase the risk of cyberattacks because businesses that are less secure are often targeted to gain access to larger enterprises to infiltrate or corrupt their data.
In a report by Accenture, “forty percent of cybersecurity attacks are now thought to originate within the extended supply chain.”
What’s vital to note is that any inventory holding business can experience a data breach regardless of its size. While small and medium-sized businesses often think they won’t be suitable targets as they don’t contain ‘attractive information,’ don’t be misled – hackers will use these businesses as ‘stepping stones’ to gain access to other enterprises and their systems.
The cost of a supply chain attack can be damaging to your business. The online publication Supply & Demand Chain Executive states, “…with an average cyberattack costing approximately $3.9 million due to system downtime, damaged reputation, lost business, or other factors, it is imperative that we bolster efforts to secure our supply chains.”
What should also be non-negotiable is adopting and encouraging a ‘security culture’ across your business. In the KnowBe2.com security culture report, it states that a “Security Culture encompasses knowledge as a starting point, but also includes seven additional critical dimensions: attitude, behavior, cognition, communication, compliance, norms, and responsibilities”
Know your suppliers and their security controls.
Implementing good security controls will help reduce the likelihood and impact of cyberattacks. These controls will also reassure your customers, suppliers, and employees that your business has taken appropriate measures to protect their data.
The role players, such as your suppliers or your supplier’s suppliers, can pose a risk to:
- The quality of service you supply to your customers.
- The ongoing availability of your product or service.
- The confidentiality of your customer’s information.
If your suppliers do not implement security controls appropriate to mitigate the relevant risks, those suppliers will effectively weaken your security framework. If one of your suppliers experiences a data breach, both your company’s and your client’s information could be compromised.
The types of cyberattacks you should be aware of.
Account compromise is when an unauthorized person gains access to your account to gain a foothold to execute a more powerful attack. This is one of the most common causes of data breaches. Weak passwords and reused passwords across your accounts make your account extremely vulnerable to attackers. Passwords compromised in breaches are often posted on the dark web. They can be used to successfully compromise many more applications due to the poor practice of password reuse across platforms. It has now been discovered that the cent Colonial Pipeline breach was a result of a compromised password. On-line publication, Bloomberg, reported “Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network said Charles Carmakal, senior vice president at cybersecurity firm Mandiant, part of FireEye Inc., in an interview. “The account’s password has since been discovered inside a batch of leaked passwords on the dark web. That means a Colonial employee may have used the same password on another account that was previously hacked.”
Phishing is when an attacker uses social engineering to convince you to share sensitive information, passwords or click on a link to take a specific action. In KnowBe4’s latest blog post, they highlight two recent phishing campaigns named the IcedID and QBot, both banking Trojans used by a variety of attackers across the world. In the post, it states, “IcedID is a banking Trojan capable of web injects, VM [virtual machine] detection and other malicious actions,” the researchers explain. “It consists of two parts , the downloader and the main body that performs all the malicious activity. The main body is hidden in a PNG image, which is downloaded and decrypted by the downloader. QBot is also a banking Trojan. It’s a single executable with an embedded DLL (main body) capable of downloading and running additional modules that perform malicious activity: web injects, email collection, password grabbing, etc.”
Malware is software designed to cause damage to a computer, server, client, or computer network. Other types of malware can include computer viruses, worms, trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware.
Ransomware is a type of malware where an attacker blocks you from accessing your data or operating system until you pay a fee. Two recent examples, Sky News reported the recent attack by ransomware syndicate the REvil gang, which affected businesses across the USA. “Hackers who claim to be behind a mass ransomware attack that has affected hundreds of companies have demanded $70m in Bitcoin to restore the data. The attack was executed on Friday and has affected at least 200 companies in the United States’. Another example, the global meat producer, JBS USA Holdings, was held to ransom (to the sum of $11 million) by cybercriminals who temporarily stopped processing plants across the USA, according to TransportTopics online.
How to prevent a supply chain attack
Get to know your suppliers:
- How long have they been in business?
- Are they solvent?
- Are they able to provide stock items in full and on time?
Audit your suppliers:
- What security controls are in place?
- How do they store your information (in the cloud)?
- Who has access to your information?
- Have they implemented security-related policies and procedures?
- Do they undergo regular external audits?
- Are they willing to provide their latest SOC 2 for review, or do they have an ISO certification in place?
It’s essential to obtain attestation to their security controls so that you have evidence that their controls have been audited. A supplier may still be working towards certification, in which case their latest penetration test can serve as an attestation to their security controls.
Review your supplier’s terms of conditions:
- Ensure the contract includes a commitment to implementing appropriate security controls. If you don’t have a contract in place, you have no means of recourse.
- Review your Service Level Agreement (SLA) and ensure the agreement includes information about the supplier’s commitment to delivering supply, adherence to confidentiality, and data ownership.
Formalize data processing agreements.
Audit your internal processes:
- Identify vulnerable gaps in your security setup.
Have security policies and procedures in place for your company and employees:
- Ensure internal processes are in place if a data breach occurs.
- Establish a thorough Incident Response Plan to reduce the impact of an attack. Once you have this in place, perform regular testing of the plan.
- Implement tools to manage the security of remote working devices.
Have strong password controls:
- Use a different strong password for each account.
- Passwords should be complex, not common phrases, and contain a selection of letters, numbers, and special characters. There are many personal and work-related passwords one has to remember.
- Consider using password manager software that will help ensure you have strong passwords set across all your accounts.
- Encourage multi-factor authentication to be activated on all devices.
- Limit employee access to sensitive data.
Train your employees:
- Regular training sessions.
- Communicate and increase cyber attack awareness.
- Develop a ‘security culture’.
- Stay up to date about new trends and viruses affecting supply chains.
Supply chain security needs to be an ongoing top priority in your business operations and forms part of your supply chain best practices.
While you can’t eliminate all risks in your supply chain, you can stay alert!
Monitor your internal security controls regularly so you can detect suspicious activity quickly and respond effectively.