Any cyberattack is dangerous, but the particularly devastating ones are those on supply chain companies. These “one-to-many” supply chain cyberattacks go far beyond the company that was initially breached. Targets can be any supplier – digital or non-digital – of goods and services.
We saw several attacks on the supply chain occur in 2021 that had wide-reaching consequences, some affecting business in Edinburgh.
Some recent high-profile examples of supply chain attacks include:
- Kaseya: This software company had its code infected with ransomware, which quickly spread to IT businesses that used its products. That then affected roughly 1,500 of their small business customers.
- Colonial Pipeline: A ransomware attack caused this major gas pipeline to be shut down for nearly a week.
- JBS: The world’s largest supplier of beef and pork products was hit with ransomware that caused plants in at least three countries to shut down for several days.
Supply chain attacks rose by 42% during the first quarter of 2021. A surprising 97% of companies have been impacted by a breach in their supply chain, and 93% suffered a direct breach as a result of a supply chain security vulnerability.
The rise of supply chain cyberattacks means that you need to be more worried than ever before. They’ve been quickly growing in popularity with criminals and are expected to continue this trajectory.
If you’re not properly prepared, then you can be hobbled by a software breach or have a vital supplier go down for several days due to a cyberattack.
As part of good business continuity and disaster recovery preparation, you should look at your supply chain. Scrutiny will identify where your risks are, you can then look to mitigate them with fallback plans.
HOW CAN YOU MITIGATE YOUR RISK OF LOSSES DUE TO AN ATTACK ON YOUR SUPPLY CHAIN?
IDENTIFY YOUR SUPPLIER RISK
You can’t fix what you don’t know is wrong. Begin by shedding some light on your risk should one of your vendors get hit with an attack such as ransomware (the current attack of choice on the supply chain).
Make a list of all your vendors and suppliers, both for goods and services. This includes everything from the cloud services you use to the company that supplies your office products or any raw materials you may use in a product you sell.
Review these vendors to identify their cybersecurity risks. This is something you may need some help with from your IT partner (or us if you haven’t already got a good IT Partner!). Send them a survey to find out how they protect themselves, then determine how exposed you are as a customer.
CREATE MINIMUM SECURITY REQUIREMENTS FOR DIGITAL VENDORS
Come up with some minimum security requirements that you can use as a benchmark with your vendors. One way to make this easier is to use an existing data privacy standard as your requirement.
For example, if a vendor is GDPR compliant, then you know they’ve adopted several important cybersecurity standards to protect their business, and yours.
DO AN IT SECURITY ASSESSMENT TO LEARN WHERE YOU’RE VULNERABLE
If the software you use had a vulnerability that was exploited by hackers to take over a system, how much would that leave your systems at risk? Do you have a regular patch application strategy in place to ensure any software updates are applied right away?
An IT security assessment should be carried out annually to identify weaknesses and risks that evolve over time. An assessment will rate how strong your systems would be at preventing an attack originating from a digital supply chain vendor. It will also suggest measures to put in place to shore up any shortcomings.
PUT BACKUP VENDORS IN PLACE WHERE POSSIBLE
If you sell widgets and have a single supplier for one specific part of that widget, you’re at a much higher risk of downtime than if you have two suppliers of that part.
If a key vendor is attacked and can’t fulfil orders or provide services for a week or more, how would that impact your business? This is what you want to consider when setting up backup vendors.
For example, most companies would consider themselves down and not able to operate without their internet. Having a backup internet service provider can help you avoid lengthy downtime should your main ISP go down.
Look at putting this type of safety net in place for all vendors that you can.
ENSURE ALL DATA KEPT IN CLOUD SERVICES IS BACKED UP WITH A 3rd PARTY TOOL
Microsoft recommends in its Services Agreement that customers back up their cloud data that is kept in its services (such as Microsoft 365). The policy states, “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
You should have a backup (in a separate platform) of all data that you store in cloud services, so you’ll be protected in case of a ransomware infection or other data loss or service loss incident.
SCHEDULE A SUPPLY CHAIN SECURITY ASSESSMENT
Don’t be in the dark about your risk. Contact us today to schedule a supply chain security assessment to learn where you could be impacted in the case of a cyberattack on a supplier.
Article used with permission from The Technology Press.