A supply chain attack, sometimes referred to as a “value-chain” or “third-party attack”, occurs when someone penetrates your systems via an external partner or supplier who already has access to your systems, information and data. Due to the number of suppliers that companies are working with, as well as the recent increase in remote working across supply chains, the attack surface has increased drastically.
The Guardian reported on a recent incident of supply chain attacks using software from SolarWinds – a networking tools developer. As part of this Russia attributed attack, approximately 18 000 customers were affected, in which numerous government and company networks were penetrated. The attack impacted as many as 250 organizations. The hackers managed to penetrate multiple supply chain layers and the outsourcing of different software solutions seemed to be one of the main drivers that resulted in the attack, culminating in an estimated cost of $90 million for cyber insurance firms (according to Bitsight).
It is important to be aware of where supply chain attacks can come from. Companies may encounter five kinds of cybersecurity risks in supply chains, namely: physical threats, breakdowns, indirect attacks, direct attacks and insider threats.
Physical threats are associated with items such as switches, servers, routers and other information communication and technological devices. Furthermore, environmental disasters such as flooding, heavy snow and tornados, deliberate damage to a firm’s infrastructure, theft and malfunctioning of infrastructural components, as well as terrorist attacks, all fall under this category of physical threats.
In terms of breakdowns, risks such as outdated firewalls and delayed cybersecurity updates can also attract the attention of hackers. Although these risks are more predictable compared to some of the risks mentioned above, the effects can also be dire.
Deliberate attacks can be broken down into direct and indirect attacks. Direct attacks involve getting hacked, denied services or your password being sniffed, all for the purpose of manipulating or threatening you for money (consider industrial espionage or an individual compromising your firm’s intellectual property). Indirect attacks are like bait used for fishing. If employees fall for the bait, hackers can access systems for which the bait was meant for. Trojans, worms, viruses, counterfeit products, as well as compromised hardware and software come to mind. Malicious codes and spoofing attacks also feature in this category. In particular, phishing attacks (someone gaining access to sensitive information, whilst your employee thinks they can trust the software or device they are using) have increased in recent times.
Finally, employees posing a cybersecurity threat are referred to as an insider threat. From this perspective, careless employees who use simplistic passwords, write down their passwords or who unintentionally disclose sensitive information are associated with this risk. These risks can also be fuelled by intent. For example: opportunistic misuse of information or taking revenge. Whether these risks occur based on negligence or premeditation, the human factor is key here.
Following the mantra, “smart executives learn from their mistakes, wise executives learn from the mistakes of others”, below are some ways you can take action:
Key strategies to protecting against supply chain attacks
- Develop an approach to identify, prioritize, and mitigate cybersecurity supply chain attacks and disruptions.
- Publish emergency response and crisis management guidelines.
- Create a risk-mitigation approach, which supports your global sourcing strategy.
- Collaborate with suppliers to support them in developing business continuity programmes which ensure the continuation of supply.
- Improve logistics continuity plans with global logistics partners.
Important Outcomes for ensuring effective cybersecurity measures
- Emergency response and crisis management guidelines to decrease the effects of supply chain attacks and disruptions
- A cybersecurity preparedness plan
- A supply continuity plan for suppliers of critical parts
- A warehousing and inventory positioning strategy, which buffers supply disruptions
- A risk exposure database including a traffic light system, which provides early warning indicators of supply disruption
In order to identify the threats highlighted in any of the five threat categories mentioned above and to develop appropriate strategies in your supply chain, our risk and crisis management approach can help you to build your cybersecurity defensive and oﬀensive capabilities, reduce your exposure, minimise your vulnerabilities and strengthen your defences, thereby decreasing the chances of a potential breach.
In addition, our threat management and incident response capabilities will enable you to take action quickly and forcefully against unexpected cybersecurity threats and increase your ability to respond and recover timely.
If the situation in your supply chain does not require urgent action at this moment, we also offer cybersecurity training programs, such as our cybersecurity in a day for executives program as well as our cyber security training and awareness program for your workforce, which is delivered inpartnership with the British Computer Society (BCS).