The National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) have warned that criminals have been increasing their online attacks against UK businesses by targeting vulnerabilities in their supply chain.
In their joint report, Cyber Threat to UK Business Industry 2017-2018, the NCSC and NSA said supply chain compromises of managed service providers and legitimate software, such as MeDoc and CCleaner, had provided cyber criminals with a potential stepping-stone into the networks of thousands of clients.
It said criminals were increasingly “capitalising on the gateways provided by privileged accesses and client/supplier relationships” and that “attackers will target the most vulnerable part of a supply chain to reach their intended victim”.
“It is clear that even if an organisation has excellent cyber security, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain,” it said.
Supply chains account for roughly 80% of all cyber-attacks, according to the SANS institute.
Ben Ludford, a consultant at global procurement consultancy Efficio, told SM that in the past, hackers had focused on companies that were rich in data and IP but the rise of ransomware meant every computer was now a possible target.
He said recent high profile cases, such as WannaCry, which affected 230,000 computers worldwide, highlighted the importance of CPOs taking the appropriate measures to protect their companies and supply chains.
He gave the following six key steps for CPOs to prevent cyber attacks on their supply chains.
1. Conduct a cyber-risk assessment of your supply chain
“Think the unthinkable. What if all your suppliers’ IT systems and channels of communication failed? What if the supplier managing customer data suffered a breach? Asking questions will help you understand the potential risks and how they could impact on your organisation. Based on this assessment you can prioritise your actions.”
2. Mitigate the impact of a successful attack
“Assume a successful cyber attack is inevitable. This way of thinking shifts your focus to developing plans and practices that will minimise any damage should an incident occur.”
3. Make cyber security a part of supplier capability assessments
“Your suppliers should be operational, effective and secure. Ask questions that test the security of your suppliers’ systems; screen the cyber awareness of personnel; and request to see plans of how a potential incident might be dealt with. As cyber risks continue to grow, this is likely to become standard practice.”
4. Require suppliers to sign up to accreditation or third-party testing
“Don’t assume that your interpretation of ‘secure’ is the same as your suppliers. There are accreditations such as the Cyber Essentials Certificate from the UK Government’s NCSC. If your suppliers express concern about being tested by a third party, alarm bells should be ringing.”
5. Add consequences to your contracts
“Along with contractual requirements about data storage, you can also add clauses around the consequences of losing data. For example, you can give yourself authority to visit a supplier company and find out exactly what has been stolen and how the theft occurred – this gives you the power to handle the situation and the knowledge to make the right decisions.”
6. Train supplier personnel
“Human error is the primary source of data breaches. You can help suppliers, and the personnel who have responsibility for handling your data, by providing training or directing them to undertake training themselves. Training helps staff to identify potential attacks and is constantly refreshed to enable them to act as the first line of defence against such incidents.”
☛ Want to stay up to date with the news? Sign up to our daily bulletin.