You should be aware that cyber attacks as a result of supply chain vulnerabilities are becoming increasingly common in the UK. In this type of attack, hackers use an external provider or partner with access to your data and systems to break into your digital infrastructure.
As a business owner, you will depend on your suppliers to deliver their products, systems and services, therefore, you will provide them access to your data and systems. For this reason, an attack on your supply chain can be just as damaging as a direct attack on your business. This blog post discusses the nature of supply chain risk attacks and tips to help SMEs manage their supply chain.
The rise of supply chain risk
These attacks can have devastating, costly, long-term consequences for your business, supply chains, and customers.
Whether you become a direct target or a target by chance, it’s important that business owners and their employees understand how to detect potential supply chain threats and reduce the likelihood of a hacker breaching their systems and launching a damaging attack.
In the past 12 months, supply chain risk has evolved from an emerging risk to a current risk, and will continue to remain a threat throughout 2024 and beyond.
Supply chains can be large and complicated, therefore cyber risks become difficult to identify. These risks can take many forms within the chain, whether they are inherent, introduced, or exploited.
If a cyber criminal manages to infiltrate your supply chain, they can launch a variety of attacks such as service interruption and data theft. These attacks provide the hacker with a platform to directly access your systems and infrastructure or launch a direct cyberattack.
It has long been recognised that email is the biggest threat and the most common method of deploying an attack within the UK. The type of attack can vary significantly, and email scanning, antivirus technology and firewall controls have been doing a pretty good job of keeping these attacks out.
However, if someone in your supply chain has been compromised (customer or supplier) and the criminal has access to their email, your standard prevent and detect controls can be of little or no use.
When authentication, authorisation and signature-based detection have all been compromised, combined with the insider knowledge obtained from hacked email accounts, it is unlikely any communication patterns will detect anomalies.
Consider this: if you received an email from a trusted source you communicate with on a regular basis, would you hesitate to open a document, click a link, or enter your user credentials to access a file? This is what the attacker is counting on.
Humans will always by nature, be the weakest link in your security! Even if you have invested in training and phishing simulation exercises, none of this will protect your business from a compromised email account-based attack.
How to effectively manage your supply chain
Supply chain risk management becomes your ally in this battle. Ultimately you are looking for assurances that they take their cybersecurity as seriously as you do. You already do financial checks, and health and safety checks but do you do cyber checks?
One way to get this assurance is to ensure they hold accreditations such as Cyber Essentials, Cyber Assurance and ISO27001. However, what if they don’t hold these certifications?
Here are some tips for managing your supply chain.
- Understand your supply chain; not all suppliers are equal.
- Rank your suppliers based on the importance of the service and access to your systems and data.
- Include cybersecurity in your contracting process.
- Set minimum cyber security requirements (make sure they’re justified and achievable).
- Complete due diligence.
- Request evidence from your suppliers regarding their approach to cyber security.
- Perform regular reviews, as things can change over time.
Further advice to SMEs
Prevention is better than cure, a quote that has been around for hundreds of years but remains very relevant when it comes to cybercrime. The world agrees cyberattacks are inevitable, it’s no longer if, it’s now when will it happen.
HMRC reported (Oct 2023) that SMEs in the UK make up 99.9% of the business population. By default, this means that the UK supply chain has SMEs at its core. Therefore, when we are talking about supply chain risk it is twofold for all SMEs.
As an SME you need to protect your business to ensure it continues to operate, and you need to protect your place within the supply chain and protect your customers. Both can be equally catastrophic to your business and could result in your inability to continue to operate.
The best form of prevention is certifications such as Cyber Essentials and Cyber Assurance, as well as investing in training and awareness for your employees.
Risk assessment and managing supply chain risk are the same for all sizes of businesses.
We hope you found this information useful and will remain vigilant and prepared for potential cyber-attacks from within your supply chain.
If you have any questions or would like to better understand how to deal with a cyber attack from within your supply chain, get in touch with a member of our team today.