4 minute read
BACK-DOOR CYBER THREAT LEAVING SUPPLY CHAINS EXPOSED
War in Ukraine has heightened the cybersecurity threats posed by supply chains with 1000s of vendors, and it is time for businesses to act, says
BlueVoyant
WRITTEN BY: SEAN ASHCROFT
Supply chains often comprise thousands of vendors, many of which might be vulnerable to cyber attacks. Hackers often target such vendors as a means of gaining access into a larger company – the so-called backdoor attack.
Supply vendors are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the larger organisation itself.
In the event that a supplier or third party is subject to a cyberattack that means they are unable to deliver key products or services, this can become a big problem very quickly and may impact business continuity. Internally, the biggest cyber threats come from suppliers or other third parties who have access to an organisation's IT networks. Externally, the biggest threat is from thirdparty organisations who perform a critical business process or deliver a key product to the first party.
Yet despite the high-tech world we live in, a deal of cybersecurity is not complicated; much of it is down to sound housekeeping and well-managed communications, both in-house and external.
James McDowell is MD of BlueVoyant UK, whose cloud-based cybersecurity platform, BlueVoyant Elements, detects and respond to cybersecurity incidents.
Common supply chain cybersecurity threats
Supply chains can comprise thousands of vendors, many of which might be vulnerable. Hackers often target such vendors as a way to hack into larger companies – the so-called backdoor attack.
The consequences of such an attack can be severe, operationally, financially and reputationally.
Below are some of the top cybersecurity threats facing supply chain.
Human Error
This is something all hackers rely on, and for good reason: we’re all fallible. Accidental sharing includes personal or business data, via email, unsecured forms or via social media messaging. It is a particular threat to companies where large numbers of employees have access to primary databases.
Poor Housekeeping
For all the sophistication of cybersecurity solutions, one of the biggest problems remains people's complacency and laziness around basic cybersecurity housekeeping. We all know someone who uses the same passwords for everything, or who doesn't bother changing default passwords from 0000 or 1111 to something secure.
Pdfs
Scammers know people are more likely to open a PDF than an email, especially if they think it is a bank statement. Security company Palo Alto Networks says last year there was a 1,160% increase in malicious PDFs.
Databases
Database security is a big security challenge for businesses. According to American IT provider, Straight Edge Technology, some hackers use social engineering attacks to steal login credentials, while others use malware to gain access.
Sms
So-called ‘smishing’ sees the attacker send an SMS text message with a link that, once clicked, begins the attack. Cyber criminals are turning to such attacks because many email programmes – Google Mail and Microsoft Outlook for example – are smart enough to detect phishing emails.
Iot Devices
IoT devices open up serious cybersecurity threats, especially in supply chain, where IoT tech is commonplace. According to Symantec, IoT devices experience an average 5,200 attacks a month, and with IoT tech expanding almost exponentially, the attack surface for cybercriminals to target is huge.
43% 14% of such companies are adequately protected SUPPLY CHAIN
Needle has not moved on supply chain security
But the stark truth is too many businesses have a supply chain security problem. McDowell says that industry research suggests that on monitoring and mitigating cybersecurity risk in the supply chain “the needle has barely moved in the past three years”.
He says that with economic uncertainty “putting pressure on budgets and cybercriminal activity escalating” organisations “must urgently consider how they are going to address this”.
He adds: “Companies must urgently consider how they’re going to address this issue because maintaining the status quo is simply not sufficient.
“It’s a status quo whereby 97% of companies have experienced negative consequences due to a cybersecurity breach among the external vendors and suppliers that form their supply chain.”
More concerning still says McDowell is that BlueYovant research shows that even among organisations that take steps to mitigate third-party cybersecurity risk, more than one-third of them reassess that risk only every six months. “And just 3% of them are able to monitor risk daily or in real time,” he says.
“A lot can happen in a week to take a supplier from compliant to high-risk,” McDowell points out. “So if you multiply that by the six months or more at which organisations are typically reassessing their vendors it is clear that the level of unmanaged risk is considerable.”
BlueVoyant’s research – conducted among 300 senior UK cybersecurity professionals – also found the average organisation had suffered more than four breaches in 2022 12 months, up from just over 3.5 breaches on average in 2021.
“This points to a huge visibility problem,” says McDowell.”The majority of cyber risk in the digital supply chain is going undetected for long periods. This allows potential attackers ample time to infiltrate systems, island hop from one to another and launch destructive attack campaigns with little risk of being discovered.”
He adds: “This means that most businesses are easy targets for attacks, and are exposed to the threat of operational disruption, financial losses and reputational damage during a time when economic uncertainties severely impact the chances of recovery.”
Cybersecurity vendor ecosystems can overwhelm firms
McDowell says that, when it comes to supply chain cybersecurity many organisations “are understandably stumped by the scale of the issue”.
He adds that today’s vendor ecosystems are massive and complex, sometimes comprising thousands of suppliers with varying levels of access to a business’s systems and infrastructure. “Monitoring all these using conventional methods, such as surveys, generates a huge administrative burden and only provides limited assurance of a supplier’s cyber security posture at a single point in time,” he says
McDowell says that although this “ticks a compliance box it doesn’t offer a picture of evolving risk that helps the business adapt strategically to the threat environment”. Typically, he says, businesses look more closely at top-tier suppliers, “which are mainly those with whom it has strategic relationships. But they have less bandwidth to monitor the long tail of other suppliers,” he adds. “Nevertheless, it only takes one of these lower-profile partners to become victim to an attack to set off a domino effect of network compromises.
Resolving this, he says, requires “a step change”, in how organisations gain visibility over third parties and that “deploying automation is the logical step to take”.
McDowell reveals that BlueVoyant’s research found that UK companies are less likely than those in other countries to use a vendor risk-management programme, with just 36% saying they have one in place,
James McDowell
TITLE: MANAGING DIRECTOR
COMPANY: BLUEVOYANT UK
INDUSTRY: CYBERSECURITY
McDowell is an established cybersecurity director who says he has “a natural entrepreneurial mindset and in-depth and wide-ranging expertise”. This expertise extends to information assurance, breach management and cybersecurity services.
The British government reports that almost
