When it comes to cybersecurity, any organization is only as strong as its weakest link. It may have invested in the best email security solutions, information security, web security solutions, and Advanced Threat Protection (ATP) on the market. It may also have trained its employees to recognize and react to cyber-attacks and put in place the processes to deal with social engineering lures.
But if one of its suppliers or partners has a less than rigorous approach to cybersecurity, all that good work could be put to waste. It only takes one person at one company to lose focus for a moment, and a virus could be working its way through hundreds or even thousands of other organizations.
When you consider how inter-connected the business world is now and how much collaboration takes place, there are numerous potential vulnerabilities. There have been many supply chain cyber-attacks over the last two years, and such attacks are only going to increase. But when collaboration and interconnected supply chains are so common, how can organizations hope to keep protected?
The rise in supply chain cyber-attacks
Supply chain cyber-attacks are a growing trend in cybersecurity in terms of both the volume of attacks that occur and their impact. A recent example of this was the management software firm Kaseya. Kaseya fell victim to a ransomware attack initially thought to have affected less than 40 of its customers. However, a security response firm said three managed service providers it worked with had also been exposed to the attack and that, in total, more than 200 companies were affected.
It is thought that the Russia-linked REvil group was behind the attack and also that the final tally of affected parties could be much higher after a supermarket chain closed almost 800 stores after one of its contractors became a target. But this is far from the only example, and attackers will stop at nothing to gain access to an organization’s wider connections across its supply chain.
Modes of supply chain cyber-attack
Ransomware is a popular mode of attack with which cyber-criminals can target supply chains. Fortra research in 2020 revealed that a lack of awareness among UK public sector employees around cybersecurity was leaving it vulnerable to ransomware attacks. The ease with which ransomware can gain access to an organization’s systems and then spread rapidly across the supply chain is a major cause of concern.
Phishing is another common way for cyber-criminals to target a supply chain. Spear-phishing and social engineering techniques are increasingly popular, and emails appear to look like they came from someone known to the recipient. They contain malicious URLs hidden in attachments, files, documents, and images, that when opened, release malware into the network and on through the supply chain.
The consequences of such attacks are severe. Not only can they bring an entire supply chain down in just a few moments, disrupting operations and leaving organizations vulnerable to ransomware demands, but there is the long-term damage to reputation to consider. If vulnerabilities on the part of a smaller supplier were responsible for an attack, would a bigger organization remain keen to work with that organization in the future? Would it put off other potential partners and collaborators if they knew that company’s cybersecurity was putting at risk the entire supply chain?
Fortra's research with Financial Services (FS) CISOs in Q4 2020 revealed that cybersecurity weakness in the supply chain supply had the potential to cause the most damage in the next 12 months, according to nearly half of respondents. It’s a big problem that requires an immediate solution.
Implementing a cyber-supply chain risk management strategy
Such is the threat posed by supply chain cyber-attacks, many organizations have started implementing a cyber-supply chain risk management strategy (C-SCRM). This is a process that acknowledges the threat in any supply chain by identifying, assessing, and mitigating the risks associated with supply chains.
It’s partly a technological solution, but also a behavioral shift that needs to permeate through the entire organization. Trust plays an important role when considering any new partner or supplier. But more rigorous onboarding is increasingly important and should always include thorough due diligence to ensure that the new company’s cybersecurity is strong enough.
C-SCRM needs to be approached as a cybersecurity practice of the highest importance. It won’t be effective if it’s an afterthought or is not given the required time or resources. It’s a crucial element of cybersecurity and must be treated as such. It also involves a commitment to knowing your supply chain. Who are your leading suppliers, partners, and collaborators? What cybersecurity measures do they have in place, and are they GDPR compliant? Who else do they partner with, and what are their own cybersecurity criteria for those partners?
Maintaining supply chain cybersecurity
When an organization has this level of understanding, it can put in place controls tailored to each supplier's criticality and cybersecurity practices. Such C-SCRM can be very effective but is only one part of a broader cybersecurity strategy.
Cybercriminals will not stop targeting the supply chain, so all parties must work together to maintain defenses. The right solutions are a vital part of that process, and Clearswift works with many organizations globally to keep their supply chains secure.