A supply chain attack is a cyber attack that targets the less secure elements or vulnerabilities of a company’s supply chain. The aim is to exploit the vulnerability and exploit it to cause serious damage for those on the end of the attack or to gain unauthorised access to a company's data or systems.
Criminals choose this type of attack as they are able to gain access to sensitive information of multiple organisations within one attack. In 2020, the SolarWind's supply chain attack hit the headlines due to the scale of the attack and it's impact.
In this attack, hackers were able to compromise the company’s network management software, SolarWinds Orion, which was used by thousands of organisations worldwide. The attackers inserted a malicious code into a software update of SolarWinds Orion, which was then distributed to customers who installed the update.
Whilst the impact of supply chain attacks can be rather widespread, there are some very simple steps that businesses can take to improve their resilience to these types of attacks. The latest UK GOV Cyber Security Breaches Survey revealed that only just over 1 in 10 businesses are reviewing the cyber risks posed by their immediate suppliers, even though the possible outcomes of a supply chain attack are so significant.
Businesses should implement robust security measures, establish clear security expectations for third-party suppliers, and provide regular training and awareness to their employees to reduce the risk of these attacks and protect their sensitive information.
I don’t think I have a supply chain, so why would I be affected?
It’s often perceived that small businesses are not big enough to be hit by a supply chain attack, however it is not about how many people work for you or how many office locations you have. A supply chain attack can be carried out through systems that you use.
An example of a common type of supply chain attack is website compromise attacks, an example of this occurred when legitimate websites were compromised through websites builders used by creative and digital agencies.
In this attack, the cybercriminals redirected the script, which enabled a malicious domain to be sent to victims where it was downloaded and installed on the systems of those browsing legitimate websites.
This attack unfortunately affected multiple businesses as the script that was redirected was in the template of a website design that many UK based digital agencies used.
How can you improve your supply chain cyber security?
Protect your internal systems via the installation of firewalls and virus-detection programs to block malware from accessing your systems.
Regularly back up your files and databases in the event that a cyber-attack deletes any trace of them.
Train your employees so they are able to recognise attempted cyber-attacks and know how to respond if their devices are affected. Your employees do not need to be cyber experts but should be educated on the dangers of opening suspicious emails, clicking on unknown URL’s, links, and email attachments.
Lockdown permissions on devices so that employees are unable to download unauthorised software and applications that could potentially damage your firewalls.
Be careful of those who supply your supply chain, ensure that they regularly conduct security audits or have security certifications and put this within a contract.
Manage the risks with a cyber security policy that is regularly updated and adopted, you also should have an incident response plan that provides a process that will help your business, charity or third sector organisation to respond effectively in the event of a cyber-attack.
How can the Cyber Resilience Centre for the South East support my business?
To help outsmart cyber criminals and toughen up their cyber security, The South East Cyber Resilience Centre (SECRC), has been established to provide businesses and organisations, with an affordable way to access cyber security services and consultancy to help improve cyber resilience.
Businesses and charities in the South East can sign up for FREE and receive a welcome pack full of practical resources and tools that will help you identify your risks and vulnerabilities and the steps you can take to increase your levels of protection. Through your membership, you will also get regular updates on new threats, designed to help you stay safer.