With cyber security, the common maxim today is a chain is only as strong as its weakest link, and when it comes to supply chains, this could be practically anywhere. Businesses need to ask themselves what and where the soft spots in the armour are, and if anything can be done to manage those risks.
Today’s attackers are always on the lookout for new ways to infiltrate businesses and get their hands on their sensitive data, and are finding entry points through vendors and third-party partners. This means that all businesses, even the ones with the best security tools and solutions in place must seriously consider how well they are able to defend against threats that are introduced by third-party suppliers.
This lesson came into sharp focus in December 2020, when IT monitoring and management solutions company SolarWinds, was the subject of a breach that spread to its clients and went undetected for months. The malefactors behind the attack were able spy on several top-tier private companies such as cyber security giant FireEye, Microsoft, and several US Government agencies, including the Department of Homeland Security and the Treasury Department. Updates to the company’s Orion software application were trojanised, turning it into a back door that could communicate with third-party servers.
While this was far from the first supply chain attack, it was definitely the one that made the world sit up and take notice. It was described as 11 out of 10, and many security experts said the impact will be far ranging, lost lasting and much worse than we think.
The attack in 2013 against retail giant Target is another prime example. Bad actors compromised systems at one of the company’s suppliers, then used the application’s trusted status to get a foothold in the retailers network and compromise sensitive information.
Unfortunately, as well protected as an organisation is, it has no control over the security measures implemented by its supply chain, and hackers realise that by attacking the weakest links within the company’s network, they can not only go after multiple targets at once, they can wreak major havoc, and slip through the security nets while doing so.
These attacks, which can take months to detect, can result in personal data being compromised, operations being halted or disrupted, money being stolen, massive fines being levied against the company, and its reputation being destroyed.
So how can these attacks be prevented? Well, while there’s no silver bullet, there are a few ways company's can lessen the chances. Firstly, prevent shadow IT by minimising the number of users that are allowed to install unapproved apps, which will shrink the attack surface. Review access to confidential data - no user should have access to anything they don’t strictly need in order to do their jobs. Known as the principle of least privilege, this works because the fewer people have access to data, the lower the risk of a supply chain attack being successful.
Finally, implement cyber security awareness training. All users within your organisation and your supply chain need to understand how data breaches can occur and how they can help pinpoint threats and prevent attacks. Training should educate users on various aspects of cyber security, including password security, social engineering, company policies, phishing and suchlike. The more users understand these threats, the faster they will react in the event of an incident, and the better protected your network will be.