In 2020, cybersecurity attacks on supply chains surged because of Covid-19, and it’s predicted that cyberattacks will cause $6trn (USD) worth of damages in 2021.
What is a supply chain attack?
A supply chain attack is a particular type of cyberattack that seeks to damage an organization by targeting less secure elements in the supply chain. It happens when a hacker infiltrates your system via a partner vendor or provider with access to your system and data.
These hackers aren’t picky; they’ll target any industry from the financial sector, oil industry, to government sectors. Historically, supply chains overlooked their own security, but there is now growing frustration on how best to tackle this issue.
Examples of supply chain threats and risks
Supply chain threats can penetrate many departments of a business simultaneously. Here are the types of risks involved.
| Type of Risk | Consequences |
|---|---|
| Supply Risk | • Inaccessibility of suppliers • Theft of vendor credentials • Breach from the vendor network • Modification of the source code through malware • Supply of compromised software |
| Operational Risk | • Malfunctioning of the plant • Sudden interruption in operation • Failure to detect coding errors • Product specification fraud • Data theft |
| Customer Risk | • Intellectual property theft • Manipulation of data • unauthorized access to customer’s data • Fraudulent communication • Information sabotage |
Real-world third-party attacks
General Electric and Canon, 2020
In February 2020, one of General Electric’s third-party suppliers, Canon, experienced a data leak through unauthorized employee access. The leak exposed a mass of personal data, including details of passports, driving licenses, birth certificates, and tax forms. Canon wasn’t able to discover how many people were affected by the breach.
SolarWinds malware attack, 2021
Earlier this year, SolarWinds, the network management software used by around 18 000 organizations, including US Homeland Security, had malware planted by hackers after being certified as ready for customers.
CNA, 2021
One of America’s biggest insurance companies, CNA, which also offers cyber insurance, was subject to a likely ransomware attack in March 2021. The attack caused network disruption so severe that CNA were forced to take down the affected systems from the network, which included corporate email.
The principles of supply chain security
The principles of supply chain security ensure a complete overview of your supply chain and establish effective control throughout. The principles are separated into stages, making supply chain security accessible, thorough, and manageable.
Understand what needs to be protected and why
Looking at the sensitivity of your own supply chain contracts, identify the value of the assets and data that has been or will be shared. In addition to this, assess the level of protection needed for:
- the assets
- how they’re handled
- the product or services themselves
Vulnerabilities in software
Software and third-party platforms (and the trust put into them) are more extensive than ever as the pandemic demanded an even faster move to digitization due to national lockdowns and new border controls.
It’s critical to acknowledge and be cognizant that malware can be inserted into third-party software applications (or hardware, for that matter) by hackers before delivery or integration in the form of counterfeits or originals that have been maliciously tampered with.
Malicious hackers are also experts at finding security gaps and vulnerabilities in wider networks once in place, so understanding how your vendor manages their cybersecurity must be a priority.
Gain Control
While it can seem insurmountable, establishing control of supply chain cybersecurity is doable and manageable – it comes down to action and communication internally and externally.
1. Revisit and reinforce your own security responsibilities – as a supplier and consumer.
The supply chain will see you as a consumer and supplier, meaning your cybersecurity responsibilities in these roles can both overlap and differ. You’ll be subject to specific requirements as a supplier, such as following industry audits and standards, and at the same time, will need to request reports from such audits from your own vendors.
2. Communicate your minimum levels of security and incident response requirements.
Establish and communicate the minimum level of security needed for your suppliers that are justifiable, reasonable, achievable, and to a degree, flexible. Creating one-size-fits-all cybersecurity measures won’t adequately account for the varying levels of risk or the types of contracts you’ll inevitably have.
Identify existing suppliers who don’t meet your minimum requirements and let them know what they are, along with the rationale.
In addition to agreeing with plans for incident responses, these proactive bare minimums will enable you to build security considerations into the procurement processes, saving time and resources on retrospective contractual fixes and security breaches. It’ll also give you the collateral to provide to suppliers to do the same in their own organization for full-circle supply chain security.
3. Train all parties, including employees.
Despite malware and ransomware attacks becoming more common and involving higher stakes, the actual impact and risk factors are often underestimated. Training and educating all parties involved, including employees, emphasizes the importance of forming and keeping good habits and open communication channels for spotting missed vulnerabilities and improvement opportunities.
Continuous Improvements
Supply chain cybersecurity requires continuous improvements and changes as you introduce new suppliers, gain new customers, and the types of threats and attacks evolve.
Industry compliance standards, such as PCI-DSS, and the necessary audits naturally show the existing state of your systems, highlighting the areas needing improvement. However, conducting frequent risk assessments and practicing disaster recovery outside of audits should be a regular task.
Maintaining the rule of least privilege and ensuring that no one person holds too much power or influence over cybersecurity measures is vital.
A complete supply chain security strategy requires risk management principles and cyber defense in depth. It needs to adhere to protocols set by government agencies and customs regulations.
Pro-active, extensive, and validated cybersecurity solutions – ENHALO
Supply Chain Threat Detection – Continuously finds compromised credentials, domain squatters, exposed subdomains, and domain servers to avoid the risk of breach and brand damage.
Security Operations Center – Proactively monitors external and internal threats, provides rapid response to incidents, protects both digital and physical assets, and assists with meeting sector-based security compliance.
Security Awareness Training & Testing – Turn your staff into your strongest security asset; turn a human error into a human firewall.
The supply chain is only secure when every link in the chain takes responsibility and holds others accountable.
