Cyberspace is a growing risk for many businesses – a ticking time bomb waiting to go off when it’s least expected. In the current cyber threat landscape, it’s not a matter of if you’ll get attacked but when. Hackers are always coming up with ingenious new ways to perpetrate cyber crimes, be it data theft, ransomware attacks, phishing or DoS attacks.
Over recent years, the supply chain attack surface has quickly expanded, much to the worry of many organisations.
What is a supply chain attack?
Also known as a third-party or value chain attack, a supply chain attack exploits weak links in an organisation’s supply chain, creating an entry point to access target resources. Any organisation, individual, or entity that supplies goods or services to your business is part of your supply chain.
A supply chain attack has such an extensive threat surface considering all the digitised processes and affiliated businesses making up modern supply chains. For instance, a hacker can compromise a supplier’s offerings to infiltrate your corporate network.
The recent SolarWinds attack is a good example of a successful supply chain attack. At least a hundred hackers compromised more than 18,000 customers of networking tools vendor SolarWinds Corp. The attack affected more than 250 enterprises and some US government agencies. The attack was allegedly orchestrated by Russia, although the Russian government denies any involvement in the matter.
A supply chain attack can be highly targeted or indiscriminate. Your business and its customers can easily fall into a trap set for bigger fish, like in the case of SolarWinds.
A 2019 report shows a concerning 78% rise in supply chain attacks. And the situation is only getting worse as more businesses rely on third-party IT software, hardware and services.
How to guard against supply chain attacks
A supply chain can introduce potentially devastating cyber threats to your organisation. Some security-critical supply chain elements such as third-party contractors and automated processes are difficult to monitor and secure. But here are a few key ways to safeguard your business against these attacks.
Understand your threat surface
The first step to securing your supply chain is assessing its potential vulnerabilities. Evaluate your entire supply chain security posture to identify any weak links and security controls outside your reach. Remember, a cyber security strategy is only as effective as its weakest security measure. From there, secure every security loophole on your end using the appropriate solutions.
Manage supplier and partner relationships
Your suppliers, business partners and affiliates can become a hacker’s gateway to your protected corporate digital assets. Understand the risk factors associated with all your suppliers, and more importantly, work together to reach an agreeable security level. Or, to take a more cautious approach, demand every contractor or supplier you work with to meet pre-defined security standards. There needs to be a level of trust and transparency when collaborating with other organisations in a security-sensitive environment.
Use up-to-date systems
Updating system hardware and software is an underrated cyber security measure. A supply chain attack can incubate for months before reaching the target network. Patching a vulnerable system can halt an attack by sealing off critical entry points. Plus, newer software and hardware versions are equipped with more advanced security controls, making it harder for hackers to penetrate a corporate network through client-side endpoints in the first place.
Invest in proper cyber security incident response
Put in place a robust cyber incidence response plan to deal with imminent threats and progressing attacks. The action you take immediately after detecting an attack can determine the attack’s severity and scope. In other words, your initial response to a cyber incident can save or doom your business. First, focus on containing the threat to stop it from spreading to other systems. Then work on eradicating it, finding the source, and finally recovering from the incident.
A supply chain attack can come from the least obvious sources. Anyone in your circle of trust, including one-off contractors, software suppliers, cloud providers and even employees, can become a threat vector. Secure the supply chain from the inside and out to protect your business.
Get in touch and learn how to leverage our Managed Cyber Security and Incident Response Services to safeguard your organisation against supply chain attacks.
