Welcome to Thomas Insights — every day, we publish the latest news and analysis to keep our readers up to date on what’s happening in industry. Sign up here to get the day’s top stories delivered straight to your inbox.
Supply chain attacks, which are sometimes referred to as value-chain or third-party attacks, seek to damage an organization by targeting the least secure elements within its supply network.
Dissimilar to common cyberattacks like spear-phishing, supply chain attacks are widespread and enable hacking at an enormous scale. By essentially using a third-party provider as a steppingstone to other networks, supply chain attacks have the potential to compromise hundreds of organizations at once, including those with sophisticated cybersecurity. This kind of attack is rarely identified by an organization’s security systems and, even if a third party were to recognize an attack, they may not disclose it for fear of reputational damage.
The Rise of Supply Chain Attacks
Cyberattacks are most commonly associated with the finance sector, where there are opportunities to steal money and valuable customer data. However, as global supply chains increasingly adopt digitized management systems, industrial businesses have become increasingly attractive targets for cybercriminals. Their security is less sophisticated, the use of easily hackable Internet of Things (IoT) devices is increasing dramatically, and they have developed a false sense of cybersecurity.
In recent years, there have been several high-profile supply chain attacks. In 2013, an attack via an HVAC vendor gained access to systems used by retailer Target to store customer payment information. The 2017 NotPetya malware attack, which paralyzed computer networks across the globe, was the result of another successful software supply chain attack. In 2018, Deep Root Analytics, a marketing firm used by the Republican National Committee, leaked the personal data of 200 million voters by accidentally uploading it to a publicly accessible server.
Statistics suggest supply chain attacks are on the rise. A 2018 survey conducted by the Ponemon Institute found that 56% of organizations have suffered a security breach by one of their vendors. In 2019, the number of supply chain attacks increased by 78%.
At any given organization, the average number of third parties with access to sensitive information is 471, with only 18% of organizations aware of whether or not these vendors are further sharing this information with additional suppliers.
Mitigating the Risk of Supply Chain Attacks
In 2019, IT professionals cited the misuse or unauthorized sharing of confidential data by third parties as their second biggest concern. Here are six ways to reduce the risk of supply chain attacks.
1. Evaluate the Risk of Third Parties
Organizations must insist that their suppliers comply with appropriate cybersecurity regulations. They might ask vendors to perform self-assessments, audits, or make the purchase of cyber insurance compulsory. By evaluating all third parties with access to sensitive data, the risk of experiencing a breach is significantly reduced.
2. Limit Users’ Ability to Install Shadow IT (Unapproved Software)
IT functions usually have a list of approved software, but individual workers within the business often install unapproved programs such as file-sharing software to help them do their jobs. This is known as Shadow IT.
By reducing the number of users who are authorized to install third-party software on machinery, organizations can decrease their attack surface. When flawed software or hardware is embedded into a device or product, it presents a major security risk.
3. Include Appropriate Termination Clauses in Vendor Contracts
Organizations ought to consider what will happen to sensitive data held by a supplier following a contract termination. There should be a clause within all vendor contracts to address this issue.
4. Review Access to Sensitive Data
It’s important to know exactly who has access to an organization’s sensitive data so they can limit access to select users for specific purposes. Third parties should be required to openly share this information.
5. Secure IoT Devices
IoT devices are known for being extremely vulnerable to cyberattacks, which means extra precautions must be taken to secure them. For example, diagnostics for a smart manufacturing tool can be automatically sent to the manufacturer to carry out predictive maintenance. It might be a much-valued service, but it leaves organizations vulnerable to attack.
6. Continually Monitor and Review Cybersecurity
The nature of cyberattacks is forever evolving to exploit organizations’ vulnerabilities. To reduce the chances of a supply chain attack, the cybersecurity policies of organizations and their vendors must be continuously assessed and refreshed.
Want More from Thomas on Cybersecurity?
- Think your business is safe just because you don’t work in the financial sector — think again
- Do you work in a small business? Then you’ll want these 7 key cybersecurity tips
- Here are 6 best practices for supply chain cybersecurity — tip #2 too often gets overlooked
Image Credit: gorodenkoff / Shutterstock
