Companies need to recalibrate their approach to effectively protect data

By  AJ Thompson, CCO, Northdoor plc.

With the MOD and police forces consistently becoming victims of cyber-attacks via supply chains, all organisations need to be aware of the threat.

Cyber-attacks originating in the supply chain are now a regular and extremely effective way for cyber-criminals to gain access to organisations’ data and infrastructure.

We have seen over the past few years companies from across all sectors become victims of supply chain attacks. As these attacks are happening across multiple sectors and to all organisations, no one can afford to ignore the threat. Indeed, organisations that you would expect to have the highest levels of security in place have been targeted and successfully attacked.

Supply chain attacks negate frontline investment in cyber-security

The very nature of supply chain attacks means that no matter how much budget is spent on frontline cyber-defences, vulnerabilities that lie within partner’s systems will essentially let the cyber-criminal in through the ‘back-door’.

This means that all organisations are at risk, and recent examples highlight this.

One key incident occurred in August of 2023 when Ministry of Defence (MOD) documents were leaked online following the hack of a supplier. Zaun, a security fence manufacturer which provides fencing for some MOD sites, suffered a data breach after the Russian cyber-security group LockBit Ransom broke through its defences.

Like so many supply chain hacks, Zaun was not the ‘real’ target of the Russian group, but rather its customers, the main one of which, unsurprisingly, was the MOD. The nature of supply chains means that systems are now comprehensively interconnected, which means if one company in the chain gets hacked, all others within the network are at risk. By circumventing the MOD’s own substantial frontline security and entering via the ‘back-door’, the Russian hackers were able to gain access to potentially highly sensitive data.

Another recent example also highlights how organisations with the highest levels of security are still being undone by supply chain attacks. The Metropolitan Police were also victims of a supply chain attack in August 2023 when one of its IT suppliers were successfully hacked by cyber-criminals, potentially leaving thousands of serving police and support staff’s details at risk.

Earlier in 2023, the hack of software provider MOVEit saw a huge number of large organisations’ data stolen. MOVEit, which provides managed file transfer software services, which are often made up of payroll details, was attacked by a ransomware gang which led to many of its high-profile clients being impacted, including PwC, Aon, BBC, British Airways, Aer Lingus, Boots, Shell, Siemens Energy, Schneider Electric, UCLA, Song, EY, Conizant and more.

The MOVEit hack is a great example of how, with minimal effort, a cyber-criminal can gain access to multiple large companies’ data.

Time to recalibrate our thinking about supply chain security

The three attacks in 2023 show how all organisations, no matter their size or level of cyber-security budgets, are vulnerable to supply chain attacks. There has been a tendency for smaller organisations to presume that they will not be targeted as cyber-criminals will only be interested in enterprise-level companies. However, this is not the case, and everyone needs to recalibrate their thinking on supply chain security.

Large organisations need to realise that their investment in frontline cyber defences is useless unless it is backed up with sufficient protection from supply chain attacks. Smaller companies must be aware that they are as likely to be impacted by a supply chain attack as enterprise-level companies.

Gaining a 360-degree view of supply chain vulnerabilities

Companies of all sizes are turning to solutions that can provide a full view of potential vulnerabilities within your supply chain. Up until relatively recently, the most common way of ascertaining the level of a partner’s cyber-security capability was based on questionnaires.

This, of course, is then completely reliant on the honesty and knowledge of the person filling it out; an approach is no longer acceptable when the threat from cyber-criminals is so large, and their tactics are constantly evolving.

Solutions that can provide a 360-degree view of your entire supply chain, highlighting where possible vulnerabilities might lie, allow organisations to address gaps in security immediately. This means current partners have a chance to improve security before cyber-criminals take advantage, and potential partners can address concerns before any contract is signed.

Supply chain cyber-attacks present an incredibly efficient way for cyber-criminals to secure data. As a result, they will only be upping their efforts in the coming weeks and months. Companies of all sizes will be targeted, so current ways of ascertaining possible vulnerabilities within supply chains need to be changed urgently, as well as a recalibration of current thinking of how partner networks offer an easy route for the cyber-criminal.