“There has been a 742% average annual increase in software supply chain attacks over the past 3 years”[i]
The above statistic might seem implausible, but supply chain cyber attacks have become a pressing issue for businesses as the reliance on technology and interconnected systems have grown. These attacks can compromise sensitive information, disrupt operations, and damage a company’s reputation. Understanding the nature of supply chain cyber-attacks and how they can be prevented is essential for businesses to protect themselves and their customers, so let’s get started with the basics.
What Are Supply Chain Cyber Attacks?
Supply chain cyber attacks are incidents in which a vulnerability or weakness in a third-party supplier’s system is exploited to gain access to a company’s data or systems. These attacks are becoming increasingly common as hackers target the weakest link in the supply chain to gain access to sensitive information. A case to cite is the SolarWInd Cyber Attack in 2020 — hackers were able to compromise the company’s network management software, SolarWinds Orion, which was used by thousands of organisations worldwide. The attackers inserted a malicious code into a software update of SolarWinds Orion, which was then distributed to customers who installed the update.
“When everything is connected to everything else, for better or worse, everything matters – your systems, your customers and every business linked to your organisation.”[ii]
How Supply Chains Attacks Create a Ripple Down effect
There are various ways a business could experience an attack from its supply chain and they include the following.
- A supplier’s widget design material is stolen in another country, resulting in a loss of your intellectual property and market share.
- A supplier’s critical systems are inaccessible due to ransomware attacks — disrupting your inventory and sales revenue.
- A supplier’s systems are breached and used to obtain unauthorised access to your business systems.
- A supplier’s systems are breached, and your customer’s sensitive information is made public.
These attacks highlight the importance of securing the entire supply chain and the potential risks associated with not assessing suppliers and identifying if they meet your business’ security governance risk and compliance requirements. Let’s dive into how you can mitigate a supply chain cyber-attack…
How Your Organisation Can Prevent Supply Chain Cyber Attack
All businesses depend on technology to fulfil their business objectives. This technology is comprised of ICT/OT products and is delivered through and supported by services. However, an effective Cyber Supply Chain Risk Management (C-SCRM) is needed to identify, assess, and mitigate the risks associated with the distributed and interconnected nature of information and communication technology and operational security technology (ICT/OT) product and service supply chains.
Furthermore, the depth, extent, and maturity of a C-SCRM capability for each enterprise should be based on the uniqueness of its business or mission, enterprise-specific compliance requirements, operational environment, risk appetite and risk tolerance.
There are various models for the implementation of supply chain risk management and the most popular remains the PPRR risk management model – Prevention, Preparedness, Response, and Recovery. However, to get started you may want to tick the following boxes.
- Define the term “Supplier”: Establish the definition of a supplier to ensure all third-party services and any IT connections are identified and addressed. For example, would you define a contractor as a supplier?
- Identify information requiring protection: Use your information classification scheme to determine which information requires which level of protection. If these tools are not available, you’ll need to define a scheme that identifies (at a minimum) confidential, personal, restricted or unrestricted information assets.
- Select risk benchmark and metrics: Choose a benchmark (i.e. ISO 27001) and metrics to measure the risk associated with each supplier.
- Triage Suppliers: Based on the volume and sensitivity of your data that the supplier is processing, storing, or transmitting; categorize suppliers into different risk categories i.e., Critical, High, Medium or Low.
- Review Service Level Agreements (SLAs): Ensure that the SLAs with suppliers include provisions for breach notification, emergency response, insurance, liability, brand impact statements and exit procedures.
- Remediate: Upon identifying potential risks within the supply chain, direct suppliers to implement remedial controls to meet your company’s risk appetite.
- Act as a mentor: Mentor suppliers on how to improve their security practices and provide ongoing support to maintain a secure supply chain and good supplier relationships.
By following these steps, businesses can prevent supply chain cyber attacks and protect sensitive information from falling into the wrong hands.
Benefits Of Establishing C-SCRM Programme to Mitigate Supply Chain Cyber Attacks
The benefits of establishing and sustaining a C-SCRM capability cannot be overemphasized, we have highlighted the key reasons why your business should establish a programme below.
- An established programme will enable enterprises to understand which critical assets are most susceptible to supply chain weaknesses and vulnerabilities.
- C-SCRM reduces the likelihood of supply chain compromise from a cyber security threat by enhancing an enterprise’s ability to effectively detect, respond, and recover from events that result in significant business disruptions — should a C-SCRM compromise occur.
- Operational and enterprise efficiencies are achieved through clear structure, purpose, and alignment with C-SCRM capabilities and the prioritisation, consolidation and streamlining of existing processes.
- There is greater assurance that acquired products are of high quality, authentic, reliable, resilient, maintainable, secure and safe.
- Suppliers, service providers, and the technology products and services that they provide worthy can be relied upon to meet performance requirements.
How Risk Crew Can Help
Supply chain cyber attacks pose a significant threat to businesses. Still, by implementing robust security measures, establishing clear security expectations for third-party suppliers, and providing regular training and awareness, companies can reduce the risk of these attacks and protect their sensitive information.
Risk Crew offers pragmatic, cost-effective and scalable solutions that are fully customizable to meet your specific risk objectives. Our methodology comprises seven (7) components – Onboarding, Triage, Assessment, Remediation, Security Testing, Monitoring & Mentoring and Offboarding. To get started, get in touch with a security expert today.
[ii] Risk Crew Richard Hollis
Learn About Risk Crew’s C-SCRM Services