For any organisation, managing its supply chain can present many challenges. Cyber-security brings an added complexity and a business is only as strong in protecting itself from cyber-attacks as the weakest partner in its supply chain.
To protect your company from this modern day threat it is vitally important that you adopt procedures that identify any risks from cyber-attack in your supply chain and make robust plans to mitigate them.
Government figures released in January 2019 revealed that more than 40 per cent of UK businesses had experienced a cyber-security breach or attack in the last 12 months.
Cyber attackers are becoming increasingly flexible targeting a range of victims including third party software providers, website builders and data aggregators. This means businesses must be savvy in protecting themselves against the very real risk of cyber-attack and in ensuring their suppliers are protected too.
Deliberate cyber-attacks can reach a business through any number of vulnerable points in its supply chain.
Not in all cases, but often smaller businesses in the supply chain, because of more limited budgets, have the weakest cyber security, which in turn poses a risk to the larger companies that work with them. Cyber criminals attack supply chains because it means they can target a larger audience all at once.
In January 2018 the National Cyber Security Centre produced a paper highlighting examples of supply chain cyber-attacks.
One example cited was that of the Shylock banking trojan. It was focused on e-banking in the UK, Italy and the US. The attackers compromised legitimate websites through website builders used by creative and digital agencies. They employed a redirect script, which sent victims to a malicious domain owned by the Shylock authors. From there, the Shylock malware was downloaded and installed onto the systems of those browsing legitimate websites.
In July 2014 the threat from the group behind the virus was reduced by a joint operation between law enforcement agencies and the cyber security community.
Another issue to be aware of is third party data stores.
Many businesses outsource their data to companies which aggregate, store, process and broker the information. Sensitive data is not always only about customers, it could also include the structure of the business, financial health, strategy and exposure to risk. For example, in the past, firms dealing with high profile mergers and acquisitions have been targeted.
Businesses should also be aware of the risk of ‘watering hole attacks’. This type of attack works by identifying a website that’s visited by users in a targeted organisation or an entire sector, such as defence, government or healthcare. The website is compromised to enable the distribution of malware. This works by the attacker identifying weaknesses in its main target’s cyber-security and then manipulates the watering hole site to deliver malware that will exploit the weaknesses.
Attackers are increasingly exploiting ‘watering hole’ sites to conduct espionage attacks on targets across a variety of industries.
The examples given highlight the risks of cyber-attack in the supply chain. To mitigate against the risk businesses should work closely with members of its supply chain to formulate common processes.
There are some basic steps that businesses can follow:
• Evaluate cyber risk at the beginning of any new business relationship
• Complete a comprehensive appraisal of new suppliers’ cyber-security measures
• Think about including clauses in contracts that focus on cyber-security and responsibility for any compromise
• Conduct regular reviews of your suppliers’ cyber-security to identify risks
SMEs that are disproportionately exposed to cyber-security risks should consider obtaining Cyber Essentials accreditation which will add to their reputation as a well-defended supply chain partner.
3M Buckley Innovation Centre
West Yorkshire HD1 3BD