Cyber security attacks happen almost daily, impacting SMEs to multinational corporate companies. The majority of the attacks and data breaches can be found coming from the same place – through the supply chain, where security can become weak and mismanaged. Or, directly through people that work as part of a supply chain, when using their home network it can act as an entry point to their world of work for attackers.
When an organisation enters your supply chain providing goods or services, they may need access to certain proprietary data or systems and your security could become compromised. It is highly likely that parts of your supply chain will have this access, for example providing support for equipment, which creates potential infrastructure entry points. Whilst your own company may have deployed a number of security defences to protect your network – can you say the same about your suppliers?
Supply chain attacks are not new, in fact they have been around for a number of years. One of the largest data breaches in retail history dates back to 2013. Approximately 40 million of US retailer Target’s customers had their credit and debit card information stolen after malware was found on the company’s point of sale systems. It is believed that the original infiltration of Target’s network actually came via their HVAC (heating, ventilation and air conditioning) supplier, whose network was compromised and, in turn, the attackers were then able to use the “trusted” connection to gain access to Target’s infrastructure.
It isn’t just retail organisations who are under attack. Healthcare, defence, aerospace, government, managed service providers and IT industries, amongst many other sectors, have all been targeted by threats acting on behalf of foreign governments. It’s likely that they are all looking to steal intellectual property.
The supply chain is a risk for your company, no matter what your organisation is. As soon as you start to outsource, you lose an element of control over your data. Some common weaknesses in supply chain management affecting businesses are:
Lack of resources in the supply chain
In an ideal world, companies in the supply chain would take sole responsibility for dedicating sufficient resources to manage their own security. In practice, however, many suppliers do not identify security as a core business need, either unaware or indifferent to the potential impact it will have downstream. In these instances, it becomes imperative to impose your minimum expected security standards upstream, where possible, requiring the suppliers commitment to these standards as part of the deal. This should be reviewed on a regular basis with each supplier to ensure that they maintain this capability. If not, a risk assessment should be carried out to determine if the value to your business exceeds the potential damage a supply chain attack could cause. In the worst case scenario it might be necessary to find a new supplier.
Inability to adapt to supply chain changes
When it comes to suppliers one size does not fit all, supply chains come in varying sizes and the longer your chain the more attention you need to give it. A flexible management approach should be adopted, dependant on the risk associated with each supplier. For example, the risk posed by your third party network management provider will likely be greater than the risks posed by the supplier of commodity software licences. As an upstream company you must ensure there is suitable flow down the chain that monitors security controls.
A lack of communication between business and supplier
Communication between suppliers concerning updated security measures or reporting of incidents is key across the chain. If the suppliers aren’t aware of expected changes to the security of the chain or don’t understand the steps to take in the event of a breach, cyber attacks are more likely to be successful and give criminals access to the core business. Building security requirements into the contracting process helps alleviate these issues as all parties involved will have written confirmation of security expectations. Constant reviews of the process here are essential and can help flag up any weaknesses or communication that has been missed.
A focus on British Airways
British Airways (BA) was attacked by cyber criminals in 2018. Its web server was compromised by Magecart, a known threat which was also behind the attacks on Cancer Research UK and Ticketmaster. It used custom JavaScript card skimmers, hosted on the compromised web server. Since this, experts are now advising against using third party scripts, as they leave supply chains open for attack. In British Airways’ case, a supplier was compromised and the attackers were able to change their code files to include card grabbing scripts.
This is a failure of the software development processes to establish supply chain management processes. The chain wasn’t informed of the critical software updates from the supplier and as a result these weren’t identified and applied in enough time to prevent the attack.
How to prevent an attack through the supply chain
Ensuring appropriate controls are in place
It is important that a business understands the risk a supplier may pose and ensure that the supply chain has appropriate security controls in place. These will vary and flex dependent upon the type of data or influence the chain has on the business. One starting point would be to ensure all suppliers attain ‘cyber essentials’, which is becoming the UK’s minimum standard of security. However, this might be insufficient for high risk suppliers.
Regular auditing of the chain
Audits of critical suppliers are important to ensure that they are safeguarding data in the ways they claim. The assessment will need to flex depending upon the risk, from a simple questionnaire to a full scale onsite 2nd or 3rd party audit – it’s all about assessing the level of threat and acting accordingly.
Making sure the chain understands the importance
Ensure that your supplier understands the procedures in place to contact you in the event of a breach. Complete a risk analysis of your suppliers to understand the knock-on effects to your company should their systems be compromised, and create a contingency plan around this. This should be set up ready to go at the push of a button if needed, mitigating the damage that can be done to your business.
Mitigate against any risks
As a company, you must decide which controls you can insist the supplier enhances in order to continue business. If they don’t comply, can you put mitigating procedures in place? If you can’t mitigate, you must then consider the impact of an attack on your business, and whether you can accept the risk and deal with it when it happens.
Cyber security is a big threat to many businesses and can impact every entity in the supply chain from the top to the bottom. It is essential that all elements of the supply chain work in tandem to maintain tight security for all involved.
Collin Robbins, managing security consultant at cyber security specialist, Nexor.
WHY SUPPLY CHAINS ARE A HUGE CYBER SECURITY RISK
Cyber security attacks happen almost daily, impacting SMEs to multinational corporate companies. The majority of the attacks and data breaches can be found coming from the same place – through the supply chain, where security can become weak and mismanaged. Or, directly through people that work as part of a supply chain, when using their home network it can act as an entry point to their world of work for attackers.
When an organisation enters your supply chain providing goods or services, they may need access to certain proprietary data or systems and your security could become compromised. It is highly likely that parts of your supply chain will have this access, for example providing support for equipment, which creates potential infrastructure entry points. Whilst your own company may have deployed a number of security defences to protect your network – can you say the same about your suppliers?
Supply chain attacks are not new, in fact they have been around for a number of years. One of the largest data breaches in retail history dates back to 2013. Approximately 40 million of US retailer Target’s customers had their credit and debit card information stolen after malware was found on the company’s point of sale systems. It is believed that the original infiltration of Target’s network actually came via their HVAC (heating, ventilation and air conditioning) supplier, whose network was compromised and, in turn, the attackers were then able to use the “trusted” connection to gain access to Target’s infrastructure.
It isn’t just retail organisations who are under attack. Healthcare, defence, aerospace, government, managed service providers and IT industries, amongst many other sectors, have all been targeted by threats acting on behalf of foreign governments. It’s likely that they are all looking to steal intellectual property.
The supply chain is a risk for your company, no matter what your organisation is. As soon as you start to outsource, you lose an element of control over your data. Some common weaknesses in supply chain management affecting businesses are:
Lack of resources in the supply chain
In an ideal world, companies in the supply chain would take sole responsibility for dedicating sufficient resources to manage their own security. In practice, however, many suppliers do not identify security as a core business need, either unaware or indifferent to the potential impact it will have downstream. In these instances, it becomes imperative to impose your minimum expected security standards upstream, where possible, requiring the suppliers commitment to these standards as part of the deal. This should be reviewed on a regular basis with each supplier to ensure that they maintain this capability. If not, a risk assessment should be carried out to determine if the value to your business exceeds the potential damage a supply chain attack could cause. In the worst case scenario it might be necessary to find a new supplier.
Inability to adapt to supply chain changes
When it comes to suppliers one size does not fit all, supply chains come in varying sizes and the longer your chain the more attention you need to give it. A flexible management approach should be adopted, dependant on the risk associated with each supplier. For example, the risk posed by your third party network management provider will likely be greater than the risks posed by the supplier of commodity software licences. As an upstream company you must ensure there is suitable flow down the chain that monitors security controls.
A lack of communication between business and supplier
Communication between suppliers concerning updated security measures or reporting of incidents is key across the chain. If the suppliers aren’t aware of expected changes to the security of the chain or don’t understand the steps to take in the event of a breach, cyber attacks are more likely to be successful and give criminals access to the core business. Building security requirements into the contracting process helps alleviate these issues as all parties involved will have written confirmation of security expectations. Constant reviews of the process here are essential and can help flag up any weaknesses or communication that has been missed.
A focus on British Airways
British Airways (BA) was attacked by cybercriminals in 2018. Its web server was compromised by Magecart, a known threat which was also behind the attacks on Cancer Research UK and Ticketmaster. It used custom JavaScript card skimmers, hosted on the compromised web server. Since this, experts are now advising against using third party scripts, as they leave supply chains open for attack. In British Airways’ case, a supplier was compromised and the attackers were able to change their code files to include card grabbing scripts.
This is a failure of the software development processes to establish supply chain management processes. The chain wasn’t informed of the critical software updates from the supplier and as a result these weren’t identified and applied in enough time to prevent the attack.
How to prevent an attack through the supply chain
Ensuring appropriate controls are in place
It is important that a business understands the risk a supplier may pose and ensure that the supply chain has appropriate security controls in place. These will vary and flex dependent upon the type of data or influence the chain has on the business. One starting point would be to ensure all suppliers attain ‘cyber essentials’, which is becoming the UK’s minimum standard of security. However, this might be insufficient for high risk suppliers.
Regular auditing of the chain
Audits of critical suppliers are important to ensure that they are safeguarding data in the ways they claim. The assessment will need to flex depending upon the risk, from a simple questionnaire to a full scale onsite 2nd or 3rd party audit – it’s all about assessing the level of threat and acting accordingly.
Making sure the chain understands the importance
Ensure that your supplier understands the procedures in place to contact you in the event of a breach. Complete a risk analysis of your suppliers to understand the knock-on effects to your company should their systems be compromised, and create a contingency plan around this. This should be set up ready to go at the push of a button if needed, mitigating the damage that can be done to your business.
Mitigate against any risks
As a company, you must decide which controls you can insist the supplier enhances in order to continue business. If they don’t comply, can you put mitigating procedures in place? If you can’t mitigate, you must then consider the impact of an attack on your business, and whether you can accept the risk and deal with it when it happens.
Cyber security is a big threat to many businesses and can impact every entity in the supply chain from the top to the bottom. It is essential that all elements of the supply chain work in tandem to maintain tight security for all involved.
Collin Robbins, managing security consultant at cyber security specialist, Nexor.
