Supply Chain Cybersecurity: Is your business at risk?

A supply chain is a group of businesses working together to produce and distribute goods and services. For example, a large, well-known business might have its standalone supply chain.

At the same time, a larger supply chain or network can supply to other smaller businesses. Targeting a single supplier means that attackers can compromise hundreds of corporate clients, many of whom are SME’S. The number of supply chain attacks is constantly rising, expected to increase by 40% in 2022.

At Lucidica we help SME’S all the time and know the kinds of cyber threats, they’re under. Let’s take at how supply chain attacks occur and what to do to prevent them.

How do they occur?

Supply chain attacks occur when malicious code is injected into an application used by various companies, infecting users of an application. They can take place through multiple vendors such as email, SMS, social media, instant messages and pop-ups.

Companies often place trust in applications and services such as HR management and Microsoft Teams – typically containing access to sensitive or valuable internal data. Third-party suppliers may use software from other business partners, who in turn have their outside connections – this means a supply chain attack can several companies, big or small making it even harder to spot.

A successful supply chain attack can be a major blow. When the ‘NotPetya’ attack happened in 2017, accounting software used by several organizations was breached as cyber attackers who brought down critical systems of businesses all over the world. This resulted in millions of pounds of damage and lost revenue.

Another notable attack includes Solar Winds compromised in 2020, with more than 18,000 customers worldwide being affected. Hackers inserted malicious code with Orion, a network management system used globally by several companies. Going undetected they installed the malicious code into a software sent out to customers of Solar Winds – affecting thousands of organizations and installing even more malware.

What does this mean for your SME?

SME’s are often small businesses with little to no cyber defense meaning that a hacker can easily infiltrate business systems and procedures.

SME’s often lack a dedicated IT department meaning required standards and procedures are not being met. A supplier can be a doorway into a SMEs business and data putting them at risk of an attack. In 2013, American retailer Target experienced a data breach, as cybercriminals used a third-party supplier to steal customer credentials. As you might’ve guessed, millions of credit card details were stolen from customers costing Target 200 million dollars and 18 million dollars in lawsuits.

Potential threats for SME’S

• Breaching of customer data may result in potential lawsuits
• Damages to reputation and brand image
• Cost of hired IT experts to investigate the issue
• Loss of business resulting in loss of employment opportunities
• Costs of responding to cybercrime
• Financial loss from fraud and ransoms

How to prevent supply chain attacks

• Get to know your supply chain: evaluate supplier policies which may include governance, risk and compliance processes, reducing the likelihood of a breach
• Conduct audits – take the necessary steps to protect data, find out where it resides and who has access to determine how much your supplier knows.
• Create an incident response plan – knowing how to deal with breaches and setting out appropriate responses can protect your SME from supply chain attacks.
• Cybersecurity training – educate staff on all aspects of cybersecurity such as company policies, password security, and attack methods.

Whether you’re a design agency, a construction company or a small accounting firm, your business will have a large network of suppliers, delivering physical and digital services. As supply chain attacks continue to rise, such networks become difficult to gain control over – especially with cybersecurity.