Supply chain cyber security is only as strong as the weakest link
If you have a teenager at home, you may have come across the online game Among Us. Set on a space station, players run around as identical-looking aliens – that is, until one player gets bumped off. The remaining players then must guess which one of their fellow players is in fact a mole wreaking havoc.
An old idea with a modern makeover, the online game isn’t a million miles away from the new frontier of cyber threats: supply chain attacks. From CloudHopper to SolarWinds, businesses have seen email fraud and account compromise bring down entire systems. Most worryingly of all, businesses can no longer simply rely on their own security systems – all it takes is a cyber security chink in the supply chain for sensitive data to be leaked to criminals.
Our industry isn’t naive to the rising number of attacks capitalising on our ever-increasing interconnectivity. As businesses small and large share data and assets at scale, our collective vulnerabilities multiply, becoming more attractive targets for attackers hoping to see the dominoes fall one by one.
A primary method used by criminals to attack supply chains is impersonation, which can be remarkably sophisticated. Cyber criminals can spend months stalking employees’ social media accounts and company press releases in order to work out details of a supply chain, deducing where they might insert themselves to fraudulently divert invoices or encourage employees to engage with phishing scams.
While global businesses may have the resources to employ cyber security teams that can assess and contain the risk of attacks such as these, increasingly criminals are targeting smaller businesses lower down the chain as backdoors to incredibly sensitive consumer data.
Cyber security professionals have come under immense pressure over the past 18 months to manage the threat on multiple fronts. Whereas 10 years ago, only the most sophisticated cyber criminals – usually sponsored by hostile states – could cripple national infrastructure and global business, individual hackers carrying out ransomware attacks now represent a bigger risk to UK national security, according to the National Cyber Security Centre.
So how can we ensure that cyber security remains robust down the full length of supply chains?
Businesses must acknowledge their shared responsibility to ensure the supply chain is cyber-secure. All businesses have a responsibility to secure themselves in order to protect their stakeholders, their clients and their customers. However, according to the DCMS Cyber security breaches survey published in March 2021, only 12% of UK businesses have assessed the cyber security risk posed by their suppliers.
That is a sobering statistic and reflects a general attitude among C-suite executives that cyber security is still but a secondary consideration for management. A regular concern raised by CISOs is the lack of resources to adequately protect company systems, let alone assess the systems of suppliers.
We therefore need a shift in emphasis. It is no longer excusable to scapegoat under-resourced cyber security departments, or to naturally expect suppliers to be sufficiently secure. Cyber security, including assessing cyber security compliance all the way down the supply chain, should be integral to every business operating in today’s ever more online world, and suppliers need to be held to minimum cyber security requirements.
As cyber attacks become more frequent and sophisticated, businesses must ensure they are not left behind. Now more than ever, businesses should take advantage of the prolific knowledge-sharing projects within the cyber security industry, such as SASIG, in order to stay updated and alert to the latest threats.
It is also vital that the industry makes its voice heard as the government considers its new cyber security strategy.