Global supply chains have been dealing with challenges from every angle over the past couple of years, made worse by the COVID pandemic. In 2022, companies will likely be under increasing pressure as they continue to tackle shortages, delays, and pricing increases within the supply chain. On top of this, the ever evolving cyber threat is impacting supply chains everywhere. Companies must improve cyber risk management among suppliers to support supply chain efficiency and reduce the chance of cyber attack.
Supply chain attacks are a serious cause for concern in the cyber security space since the damage can be so widespread, and this is exactly why they have become a popular method for cyber criminals. Nowadays, supply chains are complicated webs of businesses that are adopting more digitized processes and technologies, expanding the attack surface. Just one vulnerability in a supplier’s systems can cause extensive disruption and give a hacker access to a whole chain of organizations.
Since the first biggest supply chain attack to hit the media in 2013 on American store Target, we’ve seen these attacks rise exponentially and around 84% of organizations now believe software supply chain attacks will be one of the biggest cyber threats to businesses within the next three years.
There are a range of supply chain attack methods used by cyber criminals but some of the most common involve planting malware within a company’s systems before it’s distributed to users. This was the case in the well known SolarWinds attack of 2020. Malicious code was injected into Orion’s software build before it was rolled out to around 18,000 customers, including major corporations like MasterCard and PwC as well as government agencies, although the number of customers ultimately impacted is now predicted to be lower than 100. Other common threat vectors for supply chain attacks can include:
- Third-party software providers
- Data storage solutions
- Development or testing platforms
- Website building services.
Often, hackers will target smaller companies within a supply chain as these are less likely to have advanced security solutions implemented thus making them easier to breach. If that company is a supplier to much larger enterprises, hackers can then use them as a foothold to gain more valuable data and corporate resources.
The impact of a supply chain attack like SolarWinds is significant. Financial losses can accumulate because of a variety of factors including regulatory fines, investigatory costs and reputation management. These incidents can leave a lasting impression, affecting consumer trust down the line and consequently company revenue. It’s therefore vital for all organizations to tackle the supply chain threat, no matter the size or sector.
Supply chain security best practices
In essence, any supplier with access to your systems and data has the potential to pose a risk for your business. If a supplier does not follow best security practices, there is a high chance of them being breached, which is why it is important to go beyond assessing your internal security posture and look outwards to your wider supply chain. Organizations may do this to an extent but many, especially larger ones, have a huge number of suppliers and so while they might be risk assessing their most direct suppliers, sub-contractors or ad hoc suppliers can be overlooked. Any one of these lower tier suppliers may offer a backdoor for the hacker, so neglecting to vet them properly can add serious risk to your supply chain.
Identify your data: To formulate a clear picture of your supply chain and ultimately where the vulnerabilities could lie, it’s important to keep track of where your data is being held and who has access to it. How are your suppliers protecting and storing data? What user access controls do they have in place? Are they conducting proper employee background checks and terminating access when an employee leaves the company?
Establish security expectations and communicate these to your suppliers: Being transparent with suppliers about what standards you want them to adhere to will help to encourage a trusting relationship as well as ensure that everyone understands where they need to be in terms of security. These requirements can be set out in a supplier policy for additional clarity.
Things like malware protection, patching expectations and access controls will be important here but it’s important to remember that cyber security goes beyond technology. Making sure suppliers have good processes and policies to keep human error to a minimum will also be critical to reducing the chance of a breach.
Many businesses will ask that suppliers meet a recognized third-party cyber security standard as this makes it easier for both the suppliers to know what security measures and controls they must implement, and also for the business to see evidence of this being done, since most standards will involve a certification of sorts. In the US, some popular ones include NIST and HIPAA and in the UK, the Government’s Cyber Essentials covers core security controls that every business should comply with. There is also the internationally recognized ISO series, particularly 27001 which helps businesses establish a high-level Information Security Management System.
Ensure suppliers are reporting incidents: If your supply chain does suffer an attack, it’s important to be able to locate the source as quickly as possible and contain the damage because these types of attacks can spread fast. If a supplier discovers suspicious activity, there should be processes in place which require the supplier to take steps to identify the attack source and notify you of what’s happened. You should have a risk communication plan in place so it is clear whose role it is to communicate what. Once you know there is a situation, your business can then react accordingly.
Monitor and Maintain: Cyber security and supply chain risk management is an ongoing process. As cyber threats evolve and cyber criminals become more sophisticated in their attacks, your strategies may need to change, so it’s necessary to regularly review both your internal set up and that of your suppliers and ensure you stay on top of any vulnerabilities that a hacker could exploit.
While you cannot completely mitigate the risk of a cyber attack on your supply chain, more can be done to get a better oversight of all your individual suppliers and the vulnerabilities they could be exposing in their processes, policies and controls. Digitization in supply chains is necessary to satisfy rising consumer demands, and this is likely to develop further. Cyber security must therefore be seen as a top priority for those managing supply chains, with the goal of implementing a solid strategy for minimizing cyber risks that is reviewed and updated in line with today’s changing threat landscape.