Cyber threats: supply chain risk

Cyber Resilience 8th May 2024

Organisations should be aware that cyber attacks as a result of supply chain vulnerabilities are becoming increasingly common in the UK. In this type of attack, hackers use an external provider or partner with access to your data and systems to break into your digital infrastructure.

Most organisations depend on suppliers to deliver their products, systems and services, therefore provide them access to their data and systems. For this reason, an attack on your supply chain can be just as damaging as a direct attack on your business. This blog post discusses the nature of supply chain risk attacks and tips to help SMEs manage their supply chain.

The rise of supply chain risk

These attacks can have devastating, costly, long-term consequences for affected businesses, supply chains, and customers.

Whether you become a direct target or a target by chance, it’s important that business owners and their employees understand how to detect potential supply chain threats and reduce the likelihood of a hacker breaching their systems and launching a damaging attack. 

In the past 12 months, supply chain risk has evolved from an emerging risk to a current risk, and will continue to remain a threat throughout 2024 and beyond.

If your organisation has taken steps to strengthen its cyber security posture, through employee training or investing in certifications such as Cyber Essentials, you may notice that your supply chain has become your greatest vulnerability.

Since supply chains can be large and complicated, cyber risks become difficult to identify. These risks can take many forms within the chain, whether they are inherent, introduced, or exploited.

If a hacker manages to infiltrate your supply chain, they can launch a variety of attacks such as service interruption and data theft. These attacks provide the hacker with a platform to directly access your systems and infrastructure or launch a direct cyberattack.

It has long been recognised that email is the biggest threat and the most common method of deploying an attack within the UK. The type of attack can vary significantly, and email scanning, antivirus technology and firewall controls have been doing a pretty good job of keeping these attacks out. 

However, if someone in your supply chain has been compromised (customer or supplier) and the criminal has access to their email, your standard prevent and detect controls can be of little or no use. 

When authentication, authorisation and signature-based detection have all been compromised, combined with the insider knowledge obtained from hacked email accounts, it is unlikely any communication patterns will detect anomalies.

Consider this: if you received an email from a trusted source you communicate with on a regular basis, would you hesitate to open a document, click a link, or enter your user credentials to access a file? This is what the attacker is counting on. 

Humans will always by nature, be the weakest link in your security! Even if you have invested in training and phishing simulation exercises, none of this will protect your business from a compromised email account-based attack. 

How to effectively manage your supply chain

Supply chain risk management becomes your ally in this battle. Ultimately you are looking for assurances that they take their cybersecurity as seriously as you do. You already do financial checks, and health and safety checks but do you do cyber checks? 

One way to get this assurance is to ensure they hold accreditations such as Cyber Essentials, Cyber Assurance and ISO27001. However, what if they don’t hold these certifications? 

Here are some tips for managing your supply chain.

  • Understand your supply chain; not all suppliers are equal.
  • Rank your suppliers based on the importance of the service and access to your systems and data.
  • Include cybersecurity in your contracting process.
  • Set minimum cyber security requirements (make sure they’re justified and achievable).
  • Complete due diligence.
  • Request evidence from your suppliers regarding their approach to cyber security.
  • Perform regular reviews, as things can change over time.  

Further advice to SMEs

Prevention is better than cure, a quote that has been around for hundreds of years but remains very relevant when it comes to cybercrime. The world agrees cyberattacks are inevitable, it’s no longer if, it’s now when will it happen.

HMRC reported (Oct 2023) that SMEs in the UK make up 99.9% of the business population. By default, this means that the UK supply chain has SMEs at its core. Therefore, when we are talking about supply chain risk it is twofold for all SMEs. 

As an SME you need to protect your business to ensure it continues to operate, and you need to protect your place within the supply chain and protect your customers. Both can be equally catastrophic to your business and could result in your inability to continue to operate.

The best form of prevention is certifications such as Cyber Essentials and Cyber Assurance, as well as investing in training and awareness for your employees. 

Risk assessment and managing supply chain risk are the same for all sizes of businesses. 

We hope you found this information useful and will remain vigilant and prepared for potential cyber-attacks from within your supply chain. 

If you have any questions or would like to better understand how to deal with a cyber attack from within your supply chain, get in touch with a member of our team today. 

Further reading:

Defence, protection, security. We've got you covered.

Whether you need to enhance your approach to cyber threats, overhaul your IT infrastructure or improve your communications, we’re here to help and advise. Talk to a specialist today and take the next step towards being a stronger, more resilient business.

Speak to a specialist

Need support? Take Control.

The button below is to be used when instructed by our technical support team. This will allow a file to be downloaded to your device for them to take control and help solve the issues you are having.

ND Take Control

exe · 7.6MB

Please note: only to be used when instructed by a member of our support team. Windows devices only.