Cyber attacks on supply chains grew by a whopping 430% in 2021, according to a recent report from French reinsurer SCOR.
As supply chains have become more complex, digitised and interdependent, the report stresses, disruptions to their IT infrastructures threaten “cascading impacts” for affected companies, depending on how interconnected the relevant suppliers and clients are.
“Each technology-using link in a supply chain has a potential vulnerability,” says Nick Wagstaff, Principal Consultant at Proxima, a provider of supply chain solutions to FTSE 100 and Fortune 500 companies. “The SolarWinds attack is a prime example of how an infection in one small part of a supply chain can have major impacts on anyone using or connected to it, across multiple businesses and on a global scale.”
In Wagstaff’s assessment, phishing remains the biggest risk to corporate supply chains, particularly in the new world of hybrid working. “As users access working systems via less secure routes,” he says, “we have seen a massive increase in the scale and complexity of attacks.”
He also cites the growing threat of brandjacking, whereby attackers camouflage malware in web locations that resemble those of well-known brands, laying traps for unsuspecting visitors.
Such methods, he says, “point to an established network for attacking companies, whether to disrupt for the sake of it or to extort money”.
Building blocks
So, what sorts of circumstantial factors are driving those trends?
“Software used in supply chains is typically developed on building blocks,” Wagstaff says, “reusing code or components from various products, including pieces of open-source software. The complex nature of that design, compounded by constant redevelopment, can lead to vulnerabilities, which, in turn, can be exploited. In some cases, infections can lay dormant for several years, waiting for the right opportunity to attack.”
Amid the new work styles of lockdown, he notes, “Many corporate cyber defences were either relaxed or circumvented to preserve business continuity. Entire workforces based at home opened up never-before-seen areas of vulnerability.”
Wagstaff points out that while businesses have been aware of supply-chain cyber threats for years, and may have shored up their defences in more obvious areas with safeguards such as network firewalls, attackers are always looking for weak spots and testing areas where they could potentially break through.
For example, he warns, an infection in a company’s warehouse management system would prevent that business from processing its inventory. “As such, all elements of the supply chain must be protected to be effective.”
Choose wisely
Looking at areas where corporates are falling down, Wagstaff explains: “New software tends to go through a rigorous check to ensure it’s safe, but companies are not doing enough to constantly review and check the vulnerabilities of the existing solutions that make up their supply chains.
“For example, how often are patches deployed? How often are updates rolled out? Companies may put off upgrading to the latest software version to avoid the expense and complexity of newer systems, but that leaves hackers with an advantage when they’re looking for susceptible areas.”
He stresses: “Prevention is better than a fix. However, some companies deem the cost of prevention prohibitive and with so many different threats to consider, alongside different potential solutions, it can be difficult for companies to make the right choices.”
With that in mind, Wagstaff advises the following.
- Invest properly in your IT department and software This will help you to identify threats and appropriately guard against them.
- Employ a Chief Information Security Officer (CISO) Make them responsible for your cyber strategy and provide them with the necessary resources and funding to aid their success.
- Choose the right products Cyber threats change and evolve constantly, and so do the tools designed to defend against them. Don’t enter into long-term agreements, as the product could be out of date in a matter of months.
- Choose the right partners Look at software vendors or resellers with a cyber-security practice and a proven track record for supporting and protecting customers.
“Make sure your suppliers are doing all of the above within their own supply chains,” he says. “Carrying out regular audits of your key material suppliers is vital for ensuring that they are protecting themselves and, more importantly, you. Plus, as phishing is still the most obvious and successful attack method, regular employee training and internal testing is key to maintaining your company’s effectiveness at defending itself.”
Due diligence
Ian Pay, ICAEW Head of Data Analytics and Tech, says that it’s really important when performing due diligence over suppliers, whether of goods or services, that cyber risks are also taken into account. “If their cyber security controls aren’t up to scratch, a supplier with the best product or cheapest price could end up costing you substantially more than the contract is worth. Software vendors or cloud providers should be more than happy to respond to queries about their approaches to cyber security, and many will even make their security audits available to download.”
When it comes to data protection and any exchange of customer data, it’s important to remember that in the customer’s eyes – and in the eyes of the law – they engaged with you, not your supplier. As such, the responsibility to protect their data also falls to you, Pay explains.
“Even if you are on a strong legal footing, if there’s a data breach in your supply chain, the reputational damage could be severe. There’s no harm in applying the same stringent rules over your customer data to any of your business-critical, internal data.”
In a supply-chains context, he points out, phishing attacks will tend to involve efforts to redirect funds to different bank accounts. So, establishing clear processes around the maintenance of critical master data relating to suppliers, while setting clear protocols for verifying change requests, can be vital for managing cyber security risks.
“The modern world is highly interconnected,” says Pay. “There is no point trying to shy away from it. So, while businesses embrace that in their supply chains, and the opportunities it brings, it’s important to remember that the work you may have historically done to protect your internal systems is no less relevant when those systems sit with third parties.”
Cybercrime Awareness Month 2022
ICAEW marks the global Cyber Security Awareness month with a series of webinars, videos, podcast, a panel discussion and other resources addressing cybercrime and how to protect your business. We will focus on the latest trend as well as supply chain risks and concerns.