Although your businesses will already have put in place measures to increase protection from growing cyber security risks, the next step is to think about your supply chain and whether the organisations that support you pose an acceptable risk or a weak link. Much like how you would be reticent to do business with an organisation with a bad financial credit rating, cyber supply chain risks should be seen in a similar light and It is important that you understand the threat to your business.
There are two main ways in which the poor cyber security of your supply chain can have a direct impact on your organisation:
If one of your suppliers is unable to provide you with the goods or services you rely on to operate your business due to them falling foul of a cyber-attack, then this could potentially damage your output and reputation, particularly when bearing in mind just-in-time logistics or critical services. This is a risk you would want to avoid, or at the very least minimise and go with a supplier who has insulated themselves against cyber-attacks.
Your supply chain may be used as a backdoor to gain access to your network. You may ask why your supply chain should be any different from any other business, but the key difference here is that cyber criminals are the confidence tricksters of the 21st century and will look to exploit the trusted relationships you have with your supply chain.
Attackers can exploit this trust in different ways. Firstly, some of your suppliers may have access to your Building Management Systems (heating, ventilation, power, lifts), which may be part of or linked to your network. If the supplier’s network is compromised, yours might be too. A notorious example of this occurred in 2014, when the US retail business Target was hacked via their HVAC partner, losing credit card details of 110mn customers at a cost of $61mn.
Secondly, if your networks are not directly connected, this is another way in which trust can be exploited. The attacker can send spoof emails posing as the supplier, but with malicious content embedded to gain a foothold on your network. Due to the trusted relationship you have with this supplier, you are more likely to open any attachments to emails. Cyber criminals can go unnoticed on networks for long periods of time, utilising numerous approaches including monitoring traffic and patterns to establish the types of emails sent to partner organisations. By monitoring who the emails are from and what types of attachments are usual, this significantly contributes to their success.
Having gained access to the environment, there are various ways in which an attacker can ‘cash in’. It may be client details, such as bank accounts and email addresses, which can all be sold on the dark web. Alternatively, for a potentially bigger and quicker ‘payday’ they can conduct an attack known as Business Email Compromise (BEC). Increasingly prevalent and profitable, BEC works by the attacker monitoring the communications to understand how and when you invoice your clients. The attacker then sends an email from your finance department with your normal invoice, but critically then includes updated banking details for your clients to pay into. The attacker will delete any other invoices sent to the target client and cover their own tracks, usually by deleting what has been sent from your network. As the email comes from your network, your clients may well be duped into paying the invoice, or indeed, you may get similar emails yourself. Although this attack may seem simplistic, it once again relies on the trusted relationships you have with both your supply chain and clients. Hugely successful, the FBI has estimated that $12bn has been defrauded through BEC over the past 5 years.
To protect yourself from and reduce your cyber security supply chain risks, here are some things to consider:
Perform a baselining audit of who has access into your network and remove any unnecessary access, both from your staff and external suppliers, then continue to review regularly through an ongoing audit process
Before taking on new suppliers or re-engaging existing ones, enquire about their cyber security maturity. Whilst there is no industry standard questionnaire for supply chain assurance, the UK Government’s Cyber Essentials+ would be a good place to start to show that they are at least thinking about it. There are cyber credit rating type services available that can be helpful here too but shouldn’t be viewed as a ‘be all and end all’. They can be useful comparatively, but in isolation can be also quite unhelpful
Ensure you have robust processes in place in-house, that do not allow any amended payments to be made without additional authentication for e.g. calling to confirm. Never call any numbers on an email that asks for a change in payment details – this is likely to be the attacker waiting for your call. Instead, call the known contact on a previously used number
Educate your staff on what to look for and how to spot this type of attack
Remember, nothing and no one is infallible and this type of attacker will continue for as long as it is profitable and works. It will no doubt evolve over time into something else, so you and your staff need to keep up with what is going on in order to be able to defend against it. Your organisation might not be the overall target, as you may be being used as a stepping stone to get to another more lucrative organisation – ultimately we are all a part of someone’s supply chain.