How to protect your organisation from a supply chain attack
Supply chain attacks are increasing
When companies think about security, they most often think of securing their networks, software, and digital assets against cyber-attacks and data breaches however the risks associated with a supply chain attack have never been higher.
Recent reports suggest that 50% of all cyberattacks now target the supply chain, and within the last year, supply chain attacks grew by 430%.
The growing number and severity of cyber attacks has prompted many organisations to invest more in cybersecurity. This strengthening of defences has meant that hackers have had to become more creative in their attack methods and find new ways to infiltrate their primary target. A weak supply chain can provide hackers with an easy way to compromise even the most secure organisations.
The severity of supply chain attacks cannot be overstated. And the recent wave of these attacks suggests this method is now the state actors’ attack of choice. The SolarWinds supply chain attacks were likely the most dramatic to date due to their exceptional scale. More than 18,000 organisations and several U.S. government agencies were impacted, and it will be months before the full brunt of these attacks is known. The SolarWinds attacks are just one of the numerous examples of why organisations must prioritise their security initiatives to detect and defend against these threats because industry analysis makes it clear that the likelihood of large-scale attacks will only increase.
As supply chain attacks become more sophisticated and prevalent, it’s essential that businesses take the right steps to reduce risk. Below are some practical steps your organisation can take to reduce your risk:
1. Assess your suppliers
Taking the time to evaluate the security and privacy controls of all your suppliers can reduce the likelihood of a breach. An organisation can perform a supplier assessment as a starting point and develop a strategy to embed a comprehensive supplier resiliency program. This should cover technical security controls as well as governance, risk, and compliance processes. By gaining full visibility to the risks posed by suppliers, your organisation can implement the right controls and processes to enable you to respond quickly and effectively to a breach.
2. Identify critical suppliers
Reviewing the risk profile your suppliers presents to your organisation provides you with a simple way to categorise them. This can allow you to tailor your review based on the level of risk they present. There are a few simple questions you can ask yourself to identify which suppliers are critical:
Does your organisation rely on them for performance of a critical business function?
Do you provide this supplier with any protected classes of information (PII, PHI, PCI, etc)?
Do they have elevated privileges into your network?
3. Diversifying your supply chain
Diversifying your supply chain will eliminate the possibility of a single point of failure. If an organisation is dependent on one supplier for their goods or services, the organisation’s operations will be disrupted in the event a supplier is unable to operate due to an event or incident. Suppliers that manage or provide a service to essential assets should be identified and prioritised to ensure adequate security and business resiliency is maintained to minimise impact of disruptions.
4. Form business resiliency plans
Don’t wait until an attack happens before forming a response plan. To effectively deal with any incident or business disruption that may arise, your organisation should have an incident response, business continuity and disaster recovery plans in place that will address the full range of incidents that could occur and set out appropriate responses. An effective plan will help you respond to and reduce the effect of an incident by: limiting damage; improving recovery time; and detailing how communications will be managed within the organisation. Planning for a range of challenges can ensure you have the capacity to contend with such challenges efficiently and effectively, reducing the costs to your organisation. Third-party suppliers should also have an incident response plan in place so they can respond quickly to an attack and mitigate any potential risk to your business.
5. Cybersecurity awareness training
Around 88% of data breaches in the UK occur as a result of human error. And with the average cost of a breach estimated at £2.7m, these can be very costly errors. Cyber risks aren’t always obvious to everyone so it’s crucial that each member of staff receives training to improve their knowledge and help empower them to identify risks. As an organisation, knowing that your team have all received training in cyber security best practices will give peace of mind that the chances of a breach have been significantly reduced. However, cyber awareness shouldn’t be seen as a once and done task. As the cyber threats your organisation faces continually evolve, so should your training. Cyber awareness should be seen as an ongoing programme rather than just a one-off training course for new starters.
Find out more about the cyber security training and awareness CyberCX can offer.