Effective cybersecurity is challenging enough for many organisations but, when you include supply chains into the mix that may include hundreds or even thousands of suppliers, the challenge grows massively.
There have been numerous instances where an organisation has been breached as a result of hackers finding a way in via third parties such as suppliers and contractors.
Probably the most infamous example of a breach via a supply chain was the 2013 Target breach. Hackers breached the US retail giant by stealing credentials from a third-party heating company who had access to Target’s networks to monitor its systems. The company fell victim to a spear phishing attack a few months before the main attack on Target. The hackers then installed malware onto Target’s point of sale systems that stole customer credit card details and sent them to a compromised Target server. The data was then sent overseas. The breach resulted in the theft of up to 40 million credit and debit card details. So far, the cost to Target has been over $200 million.
Breaches via a supply chain can occur in many different ways. A supplier could inadvertently introduce malware into a network via a phishing email, or a vendor’s credentials could be stolen that allows a hacker remote access to an enterprise the vendor works with. This can then lead to the infiltration of an enterprises network via a trusted source.
Hackers seeking to breach a large organisation often do their homework and seek to take advantage of their supply chains. Various methods such as social engineering allow them to learn who their target does business with or who their suppliers are. Social media also allows them to learn who the best people are to target with phishing emails or approach.
If they are particularly determined, they are likely to go through every part of the supply chain to find any vulnerability. Once they find one, they will then seek to exploit it. Once in, they can then cause trouble right along the chain.
Large organisations’ supply chains are comprised of small or medium-sized organisations and often due to their smaller sizes and budgets they are often considered to be the weakest link in the chain as their cybersecurity measures are unlikely to be as effective as larger ones.
David Carroll, Chief Executive at XQ Cyber, says; “Forward-thinking supply chain operators know that the way to reduce risk is to support their suppliers and partners, by providing tools and services that enable them to improve their security, rather by burdening them with endless questionnaires.”
Organisations at the top end of a supply chain should encourage their suppliers to adopt a cyber-aware culture. By adopting government schemes such as Cyber Essentials and educating employees at all levels, you can reduce the threat.
The belief that a cyber-attack will never happen to me is a surprisingly common reason why businesses don’t invest properly in cybersecurity. Small businesses, in particular, are likely to believe this as they think that they’re too small to be noticed by cybercriminals. However, in reality, SMEs are actually targeted more often due to their appearance as a ‘soft target’ and a potential way to a larger organisation’s supply chain. It’s because of this that large organisations should regularly assess the cybersecurity of their supply chain.
We all receive spam emails - it’s a part of everyday life. However, by educating employees and members of a supply chain on how to spot a suspicious email, you can cut the likelihood of a phishing attack succeeding. Most of the time these emails are caught by an email service providers spam filters, but hackers are tenacious and are constantly finding ways to try and circumvent them.
Proper awareness training can help staff recognise the signs that an email might not be legitimate. If in doubt, it is best to refer the email to your internal security team and not click on link or attachment. Chances are high that it is a phishing email and the link or attachment may contain malware. Many businesses and organisations have fallen victim to such attacks.
Good cyber hygiene can help you avoid many cyber dangers. Don’t visit dodgy looking websites and never click on links on such sites. Promoting a cyber aware culture through the Cyber Essentials scheme throughout your business can reduce the threat dramatically.
Ensuring that the organisations in a supply chain have well throughout policies and procedures in place can help to protect against cyber-attack. Policies such as users having access to only what they require for their role and are not able to plug in personal devices or removable media for example. Likewise, having an audit of assets helps to keep track of what is part of your network, and more crucially what isn’t. Finally, make sure there is continued awareness of these practices in the same way that fire drills are carried out regularly.
When your computer notifies you that it needs to update, don’t ignore it. Patches for vulnerabilities are released all the time so ensure that you keep your computer up to date. It’s for your own good! Encourage your supply chain partners to keep their anti-virus and other security applications up to date.
Developed by XQ Cyber CyberScore™ quantifies supply chain risk by automatically testing and rating the security of all parts of the chain. It peer-rates suppliers based on objective, empirical data and provides in-depth guidance and support to the supply chain members that are most at risk.
*Article originally posted at - http://www.supplychaindigital.com/technology/comment-back-basics-throttle-supply-chain-cyber-threat