A physical supply chain already presents numerous challenges to organisations and cyber security adds to these already ample challenges.
A cyber security breach can prove devastating to a business and the supply chain is often the weak link that allows hackers to breach a business’s computer systems.
A report released by the UK Department of Business, Innovation and Skills on cyber security attacks showed that in 2013, 93% of large organisations and 87% of SMEs suffered a security breach. The number of attacks is increasing year-on-year and companies have reported a 50% increase in breaches since 2012.
As well as insider threats and outsider attacks, most businesses are vulnerable to weaknesses along the supply chain.
Some organisations supply chains are long and stretched across multiple points. As a result, an organisation's cyber security is only as strong as the weakest member of the supply chain. Determined hackers will take advantage of this by doing their research on a company. If determined they will go through every part of the supply chain to find a vulnerability that once found, they will exploit. Once they find a way in they can then spread malicious software throughout the entire chain.
Often due to their smaller size and budgets, it will be the smaller organisations on the supply chain that will be the weakest link as their cyber security measures are unlikely to be as effective as larger ones.
According to a survey carried out in 2014 by Verizon, small organisations accounted for 92% of the number of cyber security incidents. Such a weak link then poses a risk for larger companies. The smaller firms they contract to produce required products expose them to danger regardless of their own cyber-security strength.
There are a number of ways an attacker can exploit weaknesses in a supply chain. Some organisations may be breached by hackers introducing Trojans or Malware via a weak link in the chain which then works its way towards the true target. Another type of attack is known as a Watering Hole attack.
A watering hole attack is when a hackers/s identify a website that is frequently visited by users from within their targeted organisation. They then compromise the website to enable the spreading of malware. By identifying weaknesses in the main target’s cyber security the hacker is able to use the site chosen as a watering hole to deliver malware that will exploit weaknesses onto the targets systems. This often happens without the user being aware (known as a drive-by attack). Due to the trust the user is likely to have in the watering hole site, the malware could also be downloaded by the user without them realising what it contains.
According to the British Government, these types of attacks are on the rise.
Mitigating the Risks
To tackle the risks posed by the supply chain an organisation has to get the basics right:
Ensure that you follow your procurement processes and evaluate the cybersecurity risks from the start. By conducting thorough due diligence for new suppliers you can assess just how secure they are. Pressure your suppliers to improve their cyber security measures and develop a collaboration with them to ensure that every link the supply chain is adequately protected.
A good way for SMEs to ensure that they take the matter of cybersecurity seriously is to obtain the Cyber Essentials accreditation. By doing so they will improve their reputation as a well-defended supply chain partner and will be seen as a safer partner for larger organisations to work with. For more information on the scheme click here.
To further increase supply chain security, improved communication and the introduction of standards throughout the chain has to be introduced. The International Standards Organisation (ISO) standards are a good framework for good security practice throughout the chain.
Don’t become a target, invest in protection and seek the advice of the professionals at PGI Cyber.
Your free Global Geopolitical Dashboard
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Weekly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.