No matter the size or the nature of your business, organizations today cannot avoid risks related to their supply chain. In a supply chain, there are many complex systems and usually multiple partners to consider. You are only ever as strong as your weakest link, and this is exactly the fact that attackers exploit to gain access to your organization and establish a foothold. The risk is almost ubiquitous — 91% of organizations experienced a software supply chain attack in 2023.
Once inside your network, the results of a cyberattack can include data leakage or exfiltration, reputational damage, and financial penalties.
What kinds of supply chain attacks should I be aware of?
There are four main types of supply chain attack to focus on when considering your own risk management strategy.
- Direct attacks on a connected service provider – By exploiting a vulnerability in a service provider’s defense system, attackers can make moves into their clients’ systems and launch an attack or exploit. Once they have gained access to the organization, attackers can send messages to customers — for example requesting an urgent transfer of funds, usually changing the bank account details for their own financial gain. An example of this kind of supply chain attack is the famous Target hack in 2013, where attackers were able to access the Target database and steal 40 million credit card numbers and the personal information of 70 million customers. This was done via a phishing attack against Fazio Mechanical Services, a third-party contractor used by Target.
- A system or software weakness – Probably the most famous kind of supply chain attack is achieved by leveraging a system or software vulnerability. Attackers gain unauthorized access to a network, and then inject malware or ransomware in a software update or a new software which is being sent out to customers. In this way, they can increase the extent of the damage, and the attack surface often ends up a lot greater. This kind of attack hit the headlines in 2020 when SolarWinds was attacked using a malware injection into its Orion software, and SolarWinds unwittingly sent this update to their customers — 18,000 of whom downloaded the malicious payload.
- An attack on equipment or hardware – A more direct kind of attack leverages the physical hardware and products used by an organization. Attackers can burn malicious software into a product, or place listening devices on the computer chips soldered into equipment at the manufacturing stage. While no claims have ever been proven definitively, companies such as Huawei face regular accusations that their equipment is used for spyware, and Bloomberg’s reporting of a Chinese ‘spy-chip’ on computer motherboards that was secretly installed in 30 of the largest companies in the U.S. should be a warning to us all.
- Physical attack on the supply chain – As the saying goes, no-one is an island. All entities rely on one another, and cannot operate entirely self-sufficiently. By attacking critical elements of the business supply chain, hackers can have a devastating impact on any number of targets. Think about an attack on the transport system that stops people getting to their destinations, a targeted in-person attack on computers and hardware in an office that brings work grinding to a halt, or damage to the communication network that causes downtime or disruption to essential services. Broadening your understanding of what a supply chain attack is can help you to be far better prepared, and assess risk in a more accurate and holistic way.
8 ways to protect your organization against supply chain attacks
To ensure that there is no weakest link, you need to demand the same level of security and due diligence from your third-party vendors as you would for your own organization. To manage and mitigate the risk of a supply chain attack, start with the following checklist:
- Undertake a vendor survey for every third party connection. Examine their information systems and information security processes, including ensuring they have strong credential management and multi-factor authentication enabled.
- Look for recognized markers of strong security hygiene, such as suppliers who comply with international security and compliance standards such as ISO 27001, SOC 1 and 2, and more.
- Whenever a third party system is implemented, make a system survey part of the procurement process. This ensures that any system or software does not include vulnerabilities that could harm your own business resilience or continuity.
- In order to avoid a situation where you are dependent on your supplier and cannot cut ties without your own disruption or downtime, use a preliminary questionnaire and be specific about how you create and manage your contract with one another.
- In some cases, routine penetration tests should be performed on the third party’s system, to stress test how they would perform in case of an attack. This could also include a physical assessment to examine their on-premises security systems.
- Implement continuous monitoring and control so that you can quickly identify and contain any suspicious or anomalous behavior at the first signs of a breach. Quick containment and incident response is proven to reduce the damage of an attack.
- Perform regular backups on your environment, so that you can quickly restore services if a ransomware attack occurs. Implement recovery simulations, examining and iterating incident response and business continuity plans.
- Train and educate to familiarize employees with all cyber risks, including different supply chain attacks and what they may look like in the case of a cyber event. Create a no-blame culture so that reporting suspicious actions becomes second nature.
Reducing the risk of a supply chain attack in your environment
According to Gartner, 45% of global organizations will experience an attack on their software supply chain by 2025, triple the number compared with 2021.
The supply chain is a growing attack surface that holds both significant and complex threats for today’s organizations. To reduce this risk, businesses need to ensure continuous monitoring and control of all supplier and third party vendor activity, implementation of the right information security processes across the supply chain, and full cooperation between all parties to work together to maintain business continuity.
Looking for a way to mitigate potential supply chain attacks in your business environment? Speak to us about anticipating, managing and responding to sophisticated supply chain risk. Speak to an expert.