Cybercrime series – Supply Chain Attack

Reading Time: 2 minutes

What is a supply chain attack?

A supply chain attack is when a hacker infiltrates your system through a 3rd party i.e. a partner or provider with software or hardware with access to your systems and data. This can be hackers infiltrating a software company’s infrastructure and injecting malware into new software releases or security updates. It can also be hackers infiltrating a 3rd party that is storing your data.

Supply chain attacks have been fairly uncommon until recently. In 2017, two software developers, MeDoc and CCleaner, were compromised at source. This resulted in their customers being infected with malware when downloading the software/updates. In June last year, companies and organisations in the Ukraine and Russia were infected by malware known as NotPetya encrypting hard disks and causing widespread disruption. Other high profile attacks include the Paradise and Panama Papers, where the law firm storing the data was breached.

Supply chain attacks are sophisticated and seek to do damage by targeting less-secure elements in the supply chain. They are extremely difficult to detect so it is important to try and prevent these attacks from happening in the first place.

How do reduce the risk of a supply chain attack

The first thing you should do to reduce the threat of a supply chain attack is understand the risk. Make sure you know who your suppliers are and find out how their security works. That way you can understand what risks are posed.

You should then contact your suppliers and communicate your security requirements with them. Try and set minimum security requirements with them by building security considerations into your contract.

This is not a one-time project. Software changes and hackers get more sophisticated over time. Make sure you these procedures regularly to ensure you keep the threat of a supply chain attack to a minimum.

Of course, only working with trusted providers and speaking to cybersecurity experts is vital in reducing the threat of a supply chain attack.

Why protecting your business is so important

With GDPR now in force, the consequences of a supply chain attack could be devastating for your business. If you don’t protect your data properly you could face penalties of up to 4% of total global revenue. Not to mention the effect a supply chain attack could have on your systems or ability to operate.

Cyber security for your business doesn’t have to cost thousands and thousands. By adopting a risk-based, proactive mind-set you’ll be able to consider what threat an attack might pose and where you might be vulnerable. You can then use this to create a protection strategy for your business.