Understanding cyber attacks in your supply chain

Cyber attacks are an ever-present and increasing threat. According to the latest Department for Culture, Media and Sport’s latest Cyber Security Breaches Survey for 2022, 39% of businesses in the UK said they had experienced a cyber attack in the past 12 months.

Any cyber attack is dangerous, but cyber attacks on supply chain companies carry a particular and distinct risk. Any disruption to a physical or digital supply chain can have a serious and costly impact beyond the company targeted. These are known as ‘one-to-many attacks’. Supply chain attacks rose by 42% in 2021, and 97% of companies have been impacted in some way by a breach somewhere in their supply chain.

There have been several high-profile supply chain cyber attacks, including:

  • Colonial Pipeline: A ransomware attack on May 6th 2021 caused this key oil pipeline system serving the south-eastern United States to close for a whole week, causing widespread gasoline shortages and costing Colonial $4 million dollars in ransom fees.
  • Kaseya: on July 2nd 2021, this IT solutions developer was the victim of a ransomware attack that infected its code with ransomware that spread to the businesses that used its products, including roughly 1,500 small business owners.
  • Marquard & Bahls: in February 2022 this German energy giant was attacked and had its IT infrastructure destabilised. This resulted in the closure of more than 200 gas stations across Germany.
  • Cash App: this popular mobile payment tool acknowledged in April 2022 that a former employee had breached the company servers, affecting more than 8 million users.

These examples alone should be reason enough to be concerned about the rise of supply chain attacks.

How to mitigate cyber security risks in your supply chain

If you are not properly prepared for a cyber attack on your supply chain, the consequences to your business could be dire. As part of any good business continuity strategy, you should assess your supply chain risks and look to formulate a plan to mitigate your risk of any losses.

So how can you mitigate your risk of losses due to a cyber attack on your supply chain? Here are 5 steps you can take:

  1. Identify your supplier risk: you can’t fix what you don’t know about. Begin by making a list of all your vendors and suppliers for both goods and services. This includes everything from cloud services that your company uses to companies that supply your office products, as well as any of the raw materials you may use in the products you manufacture. Review all these vendors to identify their cybersecurity risks. If you need help with this, we can work with you to review your vendor security as part of a Cyber Security Audit and determine how much risk you may be at as one of their customers.
  2. Create minimum security requirements for digital vendors: minimum security requirements can be used as a benchmark with your vendors. A good way to make this easier for yourself is to use an existing data privacy standard as your requirement. For example, if a vendor is GDPR compliant, then you know they have adopted several important cybersecurity standards that can protect your business and theirs from a cyber attack.
  3. Conduct an IT security assessment: conducting an IT security assessment will help you to understand where you’re vulnerable. If the software that you use has a vulnerability that could be exploited by hackers, how much does that leave your systems at risk? Do you have a patch application strategy in place to ensure that software updates are applied right away? The IT security assessment will help you identify how strong your systems would be at preventing a breach or ransomware attack coming from a digital supply chain vendor.
  4. Put backup vendors in place where possible: if you have a product that’s reliant on a single supplier for a specific part, you’re at a much higher risk of downtime than a company that has two suppliers of that part. Therefore, if a key vendor of yours is attacked and can’t fulfil orders or provide services for a week or more, that will impact your business significantly if you don’t have a backup. For example, having a backup internet service provider can help you avoid lengthy downtime should your main ISP go down. Look at putting this type of safety net in pace for all vendors that you can.
  5. Back up your data via a 3rd-party tool: it’s important to have a separate backup for all the data that you store in cloud services. This will protect you in case of a ransomware infection or any other data or service loss issue. Microsoft recommends in its service agreement that customers back up the cloud data kept in their services such as Microsoft 365. The policy states, “We recommend that you regularly backup your content and data that you store on the services or store using third-Party apps and services.”

Schedule a supply chain security assessment with San-iT

In addition to the steps above, it’s vital to ensure you’re not in the dark about the risks posed to your business. Schedule a supply chain security assessment to learn where you could be impacted in the case of a cyber attack on a suppler.

  • Share on LinkedIn