Large organisations supply chains are often long and stretch across multiple points. As a result an organisations cyber security is only as strong as the weakest member of the supply chain.
In the first week of the year, Time Warner Cable (TWC), the USA’s second largest cable provider announced that up to 320,000 of its customers may have had their passwords and email addresses compromised. The company only discovered the leak after it was notified by the FBI that some of its customers email addresses and passwords may have been compromised and put onto the Dark Web. The fact that it took the FBI to bring the issue to the company’s attention suggests that it was not breached directly. Instead, it appears as though the details were stolen via other methods.
The most likely culprit is a phishing attack targeting TWC customers. This is likely to have been achieved through a fake customer service email sent to customers or via a fake website. Another possibility is that the credentials were gathered through malware installations or by breaching a subcontractor in a supply chain who had access to some TWC customer information. If this is the case, then it raises the issue of both the security of the organisations supply chain and phishing attacks.
The company said that it is sending emails and direct mail correspondence to encourage customers to update their email passwords as a precaution.
Supply Chains the Weak Link?
Determined hackers will take advantage of a supply chain by doing their research, and will learn what companies are in the supply chain of their primary target. If determined they will go through every part of the supply chain to find a vulnerability that once found, they will exploit. Once they find a way in they can then spread malicious software throughout the entire chain.
Often due to their smaller size and budgets it will be the smaller organisations on the supply chain that will be the weakest link as their cyber security measures are unlikely to be as effective as larger ones.
A good way for SMEs to ensure that they take the matter of cyber security seriously is to obtain the Cyber Essentials accreditation. By doing so they will improve their reputation as a well defended supply chain partner and will be seen as a safer partner for larger organisations to work with. For more information on the scheme click here. You can find PGI’s Cyber Essentials Portal here