Most cyber security experts will agree that supply chain security deserves more attention from businesses around the UK.
Due to the lack of conversation on supply chain security, it's currently overlooked by most businesses.
This article will help you understand what supply chain security is and exactly how to go about protecting your business from 3rd party breaches.
Have you ever thought about how hackers and cyber criminals get into some of the world's most lucrative brands?
It seems even when these large organisations spend hundreds of thousands to keep themselves secure, they can still find themselves falling short.
Whilst it's very possible that these large organisations could be directly breached through ransomware, DDoS or any other type of attack.
Sometimes, cyber criminals can find a smaller business that works with the larger organisation in some capacity and hack the smaller business to get an entry point to the larger organisation.
This is Supply Chain Security, where cyber criminals initially breach the target business's vendors instead of the target business, in order to get into the target business through the backdoor. This is often also referred to as a third party breach or a backdoor breach.
Often you'll find the target business is a large organisation that spends a significant amount of their budget on cyber security and the vendor, usually a smaller business, does not spend anywhere as much on cyber security - if at all.
The UK Government defines micro-businesses as firms that have around 0–9 employees and small businesses as firms that have around 10–49 employees. If you fall under these two brackets, it's incredibly important to understand how you can prevent your small business from getting caught up in a much larger organisation's breach.
Likewise, if you're a larger organisation, you don't want a breach of your vendors to cause a breach in your organisation.
So let's dive into supply chain security in-depth so we can discover how you can prevent a supply chain breach from occurring at your business.
The impact can certainly vary as it is often dependent on what an organisation already has in place for worst-case-scenario events.
Unfortunately, according to Gartner, 60% of small businesses will not be able to continue operating after a supply chain breach.
This is why it's incredibly important for small businesses to secure their supply chain as the result can often be catastrophic. In fact, in most cases, the large businesses are not going to be impacted in this same way.
Whilst the following can also happen to small businesses, it is far more frequent with larger businesses:
At the very least, you can expect other businesses to be wary about working with a business that was the cause of a supply chain breach.
After a supply chain breach, the ICO could fine your organisation up to 4% of your global turnover if they find you didn't do enough to protect the data of your clients. This is what can ultimately cause a business to end up in administration.
In the past decade, we've seen some incredibly disastrous third-party breaches from companies such as Tesla, Toyota, Fiat/Chrysler, Ford, General Motors, and Volkswagen.
However, there's one example that is worth highlighting over the rest...
The Target store chain was breached after cybercriminals found a way into one of their HVAC (air conditioning) suppliers' systems.
This meant the cybercriminals got access to Target’s internal network which enabled them to install malware on a majority of the retailer's systems as well as collect unencrypted credit and debit card information.
This resulted in 70 million customers and 40 million credit cards and debit cards from the retailer being breached.
The reason I wanted to highlight this over the rest is because it shows the importance of both sides being secure.
Both the HVAC supplier and Target could have been better prepared for this breach. For instance, Target seemed to fail to respond to any of the automated warnings from their anti-intrusion software.
Do you know what got the ball rolling for the cybercriminals?
An email containing malware.
This is why it is incredibly important to educate your staff on Phishing and Malware, we like to stick to the simple principle "think before you click" when checking emails.
Target needed their cyber security operation to be on the hunt for proof that these cyber criminals were looking to breach their systems in the first place. Instead, they sat back and waited for their tools to fix the problem for them.
Always use your tools and software to be on the lookout for evidence that cyber criminals are trying to cause harm to your organisation.
So, now that we've seen how these breaches can happen to organisations of any size, let's talk about how you can make your own organisation more secure to prevent these breaches.
Whether you're a small or large business, the first thing you need to do is take a holistic view of all of your vendors and suppliers and assess what data each vendor should have.
You should then discover whether your suppliers and vendors have the necessary cyber security controls in place to protect their organisations.
If you can receive in-depth reports and audits of your vendor's cyber security operations, you'll be able to spot and fix issues before they become a problem.
You can ensure your organisation's security requirements are being met by assessing your vendors' cyber security protocols and controls at a granular level.
In this way, you can see clearly how much access each individual at each vendor has to your data.
This keeps your data more secure as you know exactly who has what data.
The Cyber Essentials scheme was developed by the National Cyber Security Centre (Part of GCHQ) to help businesses of all sizes achieve an 80% risk reduction.
The scheme is particularly focused on small businesses as these organisations often have very little in place in regard to cyber security.
Achieving Cyber Essentials is easy and cost-effective and it shows all stakeholders within the supply chain that you're taking data protection seriously.
Also, as Cyber Essentials certification needs to be renewed annually, this means you can easily filter out any issues that could prove catastrophic to yourself or vendors.
Achieving the Government-backed, Cyber Essentials certification is also becoming a growing requirement amongst suppliers and vendors in the United Kingdom.
In fact, if you have ambitions of working with the Ministry of Defence or bidding for any Government tenders, the Cyber Essentials certificate is a must.
When asked about Cyber Essentials, the Minister for the Cabinet Office, Francis Maude said:
“It’s vital that we take steps to reduce the levels of cyber security risk in our supply chain. Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack. Businesses can demonstrate that they take this issue seriously and that they have met government requirements to respond to the threat. Gaining this kind of accreditation will also demonstrate to non-government customers a business’s clear stance on cyber security.
“Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt, and I encourage them to do so.”