Europol expects the risk of cyberattacks and data breaches that initiate along an organisations supply chain to increase.
The National Cyber Security Centre (NCSC) says companies are trusting their unproven third-party connections when they shouldn’t.
Cyber Security Connect UK says there is a fragmented approach to supply chain cybersecurity and that the risks are high.
Supply chain risk a prominent theme in cybersecurity
In Europol’s Internet Organised Crime Threat Assessment (IOCTA) 2019, just released last week, supply chain cyber attacks were highlighted. Professor Alan Woodward from the UK’s University of Surrey says:
“As hardware and software manufacturing supply chains become ever more extended, the cybersecurity of some extremely important targets will become dependent upon the weakest link in this chain. Due diligence and sound engineering processes must be a part of any Secure Development Life Cycle.”
An increasing concern
Europol says companies in the private sector are increasingly concerned about cyber attacks originating in the supply chain:
“i.e. the use of compromised third parties as a means to infiltrate their network.”
Some businesses even indicate that supply chain attacks are viewed as the highest risk. These supply chain cyber attacks could come from suppliers of hardware or software but also from other business services, especially those that are more tightly integrated with a company.
The recent Marriot hotel data breach is an example of where an attack occurred as a larger company acquired a small company with less cyber protection.
Europol points to reporting that says supply chain attacks increased by 78% in 2018. These attacks are increasing in sophistication with even fourth- or fifth-party suppliers exploited to reach further up the chain. Europol’s latest cyber update also found that attacks were increasingly bold and focusing on high-value targets, businesses, and their data.
The Ponemon institute says last year 61% of US organisations blamed a vendor or partner for a breach. And, that 75% believe supply chain breaches are likely to reoccur.
Security awareness essential for all business managers, not just CISOs
Other new research by Cyber Security Connect UK (CSCUK) in its “CISO and vendor relationships in the supply chain” report points to:
“A fragmented approach to cyber security in the supply chain and that a high level of risks are present which need to be closely monitored and reviewed.”
The CSCUK says CISOs focus on supply chain cybersecurity but other business managers are less aware. Therefore, CISOs need to be more involved in the procurement process when taking on new suppliers and vendors.
Chair of the Cyber Security Connect UK steering committee and CISO at Freshfields Bruckhaus Deringerors, Mark Walmsley, says:
“We found that 97% of CISOs see the supply chain as a source of risk, so there is an urgent commitment needed to mitigate risk exposure when undertaking a procurement exercise.”
And that “fragmented standards and cross-border working exposes some sectors to greater risk.”
ZDNet spoke with Paul Chichester, director of operations at the National Cyber Security Centre (NCSC) who said what organisations are “not currently doing is seeing is third-party connections to their network as untrusted.”
Companies are defending their own networks with processes, patches, updates, two-factor authentication and so on, but are wrongly assuming third-party suppliers are doing the same. They shouldn’t make this assumption unless they have reason to trust supply chain cybersecurity.
Chichester says there are also mature organisations that recognise a “duty of care” to their supply chain and:
“We see companies who’ve spent many millions defending themselves realise that’s actually just the first stage and actually investing further down the supply chain is the next.”
Can larger companies help smaller ones?
It may be that larger companies can assist their smaller vendors with cybersecurity, actually giving their own cybersecurity a boost. Chichester further says:
“Maturity in the supply chain is recognition that this is a shared problem. The most mature organisations take a really positive approach to that and recognise they’ve got a duty of care to the companies that supply them.”
Chichester’s NCSC believes its message to public and private organisations about investing overall in cybersecurity, not just supply chain risk, is getting through. But, that as companies are improving their defences cybercriminals are using new attack methods to sidestep these protocols. Chichester told ZDNet:
“The adversary is never going to give up, they’re going to change their tactics and we have to move further down the chain and think about how do we protect those smaller organisations that aren’t as well protected.”
Corporate supply chains are becoming more complex, compounding supply chain cybersecurity risk. Another survey found some companies said they shared confidential and sensitive information with as many as 583 third parties. Here at The Defence Works we penned another article on supply chain risk including a number of actions to mitigate the problem.