Just like businesses, cyber criminals and hackers are always innovating, in the constant search for new and unexpected ways to break through our defences. And as today’s businesses rely on an ever-increasing web of suppliers and partners to run their day-to-day operations, a new frontier is opening up for cyber-attacks and data breaches - supply-chains.
According to Securing the Supply Chain, a study from CrowdStrike, two-thirds of organisations experienced a supply-chain attack in the past 12 months, while 80% of security professionals believe they will become one of the biggest cyber-threats over the next three years. And despite the growing threat, it appears many businesses are overlooking supply chain security, with the 2016 Security Breaches Survey noting that few UK businesses set minimum security standards for their suppliers.
A supply-chain cyber-attack - also known as a value-chain or third-party attack - occurs when computer networks are exploited via the privileged access given to their partners. The recent high-profile Ticketmaster breach, which affected 40,000 customers, is one such example, occurring due to malicious software being planted on a third-party customer support product on its website.
Another example at US retailer Target, back in 2013, was one of the largest data breaches in the history of retail. In that case, around 40 million customers’ credit and debit cards became susceptible to fraud after malware was introduced into the Point of Sale (POS system).
So, how can businesses avoid falling victim?
- Assess the risks: As with your internal cyber security, forewarned is forearmed, so ensure you understand the different risks involved in your supply chain. That includes looking at the data you’re sharing with your suppliers, where and how they have access to your systems, and critically, understanding the full nature and extent of the suppliers that you’re working with, including all of their subcontractors, and the security they already have in place. Then it’s a case of running through worst-case scenarios in terms of what could happen – here are some of the main culprits – and identifying how your supply chain needs to be set up to mitigate those threats. If there are holes in the system, then work to get those plugged asap.
- Take control: Once you know where the risks are, put standards in place for all your suppliers to mitigate for these threats on an ongoing basis. The level of security you require probably won’t be the same for every supplier, so you may choose to implement a risk rating system, with different standards depending of the nature of the contract. Our Ultimate Guide to Cyber Security includes an overview of the cyber security measures that all organisations should have in place, so this is a good place to start, and the Government’s Cyber Essentials guidance is another fantastic resource. Then once you’ve agreed what these essentials should be, include them as a standard part of every supplier contract, so that everybody knows what is expected from the outset. Also think about including consequences as to what will happen if the standards aren’t met or if an attack does occur, for example enabling your IT forensics team to investigate on their premises, so you covered for that eventuality.
- Don’t let it slip: Unfortunately, cyber security isn’t a case of ticking the box and being done with it; it requires constant vigilance to be effective. Consequently, you need to put processes in place to manage your suppliers on an ongoing basis, to ensure they’re continuing to fulfil their obligations. This can include meeting key performance indicators, reporting back on certain measurements or targets, and managing their subcontractors in the same way. You can also include a ‘right to audit’ in your supplier contracts, giving you the option to physically go in and check that they’re doing what they should be.
- Keep striving for better: Cyber threats are constantly evolving and so should the security of your supply chain. Help your suppliers to keep up to date by sharing relevant news and updates and suggesting how they might enhance their technology and processes in response to new risks. Where security is really critical, also consider running training with your suppliers’ staff, to provide additional confidence that they are fully on top of things.
- Open lines of communication: Chances are your suppliers are taking cyber security as seriously as you are, so building trusting relationships will make it easier to combat the threat together. That means encouraging openness and transparency about issues, lessons and where security can be improved. Sharing security knowledge across the whole supply chain will bring benefits for everybody.
- Get covered: And finally, ensure that all your suppliers are covered by cyber insurance, so if any part of the supply chain is hit, you have a final line of defence in place. In the event of a cyber-attack or data breach, cyber cover will pick up your suppliers’ legal fees, compensations costs, as well as additional expenses such as system downtime and loss of earnings. And with Superscript, you also have access to an incident response package, including legal experts, forensics, PR support and notification of affected customers. So, you and your supply chain will be back on your feet as soon as possible.
Want to know more about how cyber liability cover can help protect your supply chain? Then drop us a line at firstname.lastname@example.org or give us a call on 0333 772 0759, and one of our team can help.