Cyber crime is on the rise. It costs the UK at least £27 billion each year and experts believe more criminals are looking to target supply chains because they are seen as the ‘weakest link’.
The Kroll Global Fraud Report 2013/14, published last month, revealed that cyber attacks have almost doubled over the past year, and the number of firms affected by information theft as a result of an attack on a vendor or supplier has increased more than three-fold.
The study also found a third of companies do not invest in cyber security, and are “neglecting elements such as staff screening and due diligence on partners, clients and vendors”.
At a CIPS Fellows’ event last month, police commissioner Adrian Leppard also warned of the growing threat of cyber security breaches with more outsourcing taking place, and many companies using cloud computing. He advised procurement professionals to amend their contracts to mitigate threats, but this month’s SM100 poll found almost 70 per cent of respondents have not redrawn their contracts.
Even though the majority of attacks are opportunistic, cyber criminals are not afraid to ‘go around the houses’ to get to the company they want to target, says David Emm, senior security researcher at Kaspersky Lab.
Last month, the computer security firm exposed ‘Icefog’, a new cyber-espionage campaign focusing on supply chain attacks in Japan and South Korea.
“I think this is the first time that people are specifically going after supply chains,” says Emm.
“It’s possible that a company gets used as a stepping stone to go after another organisation that is the main target.”
He also points out criminals may choose to disrupt the supply chain to cause problems for the company they want to target.
Ed Savage, head of cyber consulting at PA Consulting Group and a CIPS member, echoes Emm’s view. “It’s much easier to target companies that are less well protected,” he says. “For people targeting a company such as a major bank, there’s been a real move to target the bank’s advisors or major suppliers who may be less well protected, but may still have access to the same information.”
Savage explains that some cyber attacks may be also used to steal information on tenders from a rival bidder.
“In some countries they believe it to be part of normal business and therefore they will activate any means possible to find out about any companies they are competing against,” he says.
Lawyer Martin Sloan, associate in the IP, technology and outsourcing group at Brodies, is of the same opinion. “More data is being held by businesses, and companies are increasingly dependent on complex technology to trade,” he says.
“That data is attractive to hackers. Some organisations may resort to corporate espionage to uncover confidential information about their rivals in order to gain an upper hand in negotiations or the market in which they operate.”
Sloan adds many firms have “not yet woken up to the risks” posed by cyber attacks, and this could put them in potential breach of the Data Protection Act as well as risking both brand and reputational damage.
“Even those organisations that are alert to cyber security cannot be complacent,” he says. “Cyber security is an ongoing arms race between IT security experts and hackers. Each new security measure simply presents a fresh challenge for the hackers to overcome.”
There are three main types of attacks, according to Emm. The most common is to install a ‘backdoor’ programme on one computer in a company to gather information from that device, as well as the wider network that it has access to.
The second type, such as the Icefog attack, involves planting backdoor software on one computer, gathering information, and then moving onto another computer to do the same. “It’s more of an individual hit and run exercise,” Emm says.
A denial of service attack focuses on preventing a company from running their operation. “Backdoor software could be planted on a million computers to flood a retailer’s web servers with traffic all at once,” explains Emm.
So what can be done to protect against an attack? Savage believes a major problem in procurement is that people do not always understand the risks they are trying to protect against.
“I find a lot of buyers are spending big money on technical products without having really looked at the assets they’re trying to protect and what their priorities are, so they end up wasting quite large amounts of money,” he says.
When it comes to what could be included in a contract, Savage has developed a new cyber-security British Standard, PAS 555. This is a set of 30 clauses that can be dropped into a contract to cover cyber security issues.
“The great thing about it is that it specifies the outcomes of good security rather than specifying lots of detailed inputs,” he says. “If you are going to procure services, you want to specify outcomes because it then allows the knowledgeable supplier to determine the best way of doing the how.”
However, Sloan points out it is not enough to rely on the terms of the contract. He advises businesses to audit the cyber security and business continuity measures adopted by their suppliers. “Regular penetration testing of systems, using so-called ethical hackers, is one way to test whether the measures that have been put in place are up to scratch,” he says.
“Suppliers should also be asked if they obtain independent audit reports, such as a type-two SSAE 16 or ISAE 3402 report, to help businesses to evaluate their security measures. Again, don’t just file the report – read it and question any potential risks that have been identified.”
Emm adds companies need to engage with their staff because quite often, an attack starts by tricking humans, for example through a ‘spear phishing’ email with an attachment or link, apparently from someone internal, that people are likely to open.
“If an employee does do something that could harm the system, you need to know about it,” he says. “Having a policy that says that they will get fired over it is not ideal.
You are more likely to get people flagging up suspicious behaviour if it is encouraged.”
He also recommends businesses make sure that employees only have access to the information they need to get their job done. For example, not everyone should be able to access HR records.
Phishing on the dock of the bay”¦
The lengths to which criminals will go to gain access to vital information was highlighted by Europol officials this month.
The law enforcement agency told the BBC that drugs smugglers hacked into computers at the Belgian port of Antwerp in order to smuggle cocaine and heroin.
The criminals broke into companies to hide malicious hardware. A box that would normally provide electricity was found to contain a mini-computer that was able to store the data going through the system. Another USB-type device was plugged into individual computers to log all the keystrokes and took screenshots.
This allowed to crime gangs to identify which containers their drugs were in, and steal them before they were picked up.