“When most people think about cybercrime, they imagine sophisticated attacks targeting FTSE 250 businesses, but this isn’t the complete picture,” explains Oz. “On the whole, a majority of criminals don’t tend to target the prosperous and well-defended. They attack the unprepared. This means that, especially for global companies, the chink in their security strategy is usually found not in their own robust networks but in the smaller suppliers they do business with – or even a supplier of a supplier.”
This was highlighted in the utilities sector in 2017, when Russian hackers gained access to the US electric grid via key suppliers of the power companies. The fact that many of the control and analysis systems used in energy production and distribution, aviation, water companies and manufacturing weren’t designed with the threat of cyber attacks in mind makes utilities and infrastructure particularly vulnerable. Companies now face three main threats, says Oz, and they’re all interconnected.
This happens when a person is manipulated into giving information or introducing a threat into their company’s systems. Phishing and 419 scams are basic examples most people are aware of but more sophisticated methods can involve gifts, free trials and persuasion using social media. “There is variance from sector to sector, but human-related breaches are ubiquitous,” explains Oz. “Four of the top five causes of data breaches are because of human or process error.”
2 – Malware / ransomware
“Why? In part because it’s so simple. It’s relatively easy to deploy and execute. Ready-made toolkits mean that even an amateur can put together and distribute a ransomware package. The associated risks or costs of carrying out an attack are minimal,” says Oz.
3 – Vulnerabilities in IoT devices
“The growth of the Internet of Things has brought dramatic changes to the cyber security landscape in recent years. As connected devices increase in circulation by the day, so the attack surface area also increases. Vulnerabilities in these devices are almost inevitable. Once a critical mass of machines is compromised, criminals can launch DDoS attacks,” explains Oz.
How to mitigate cyber security risks
To protect themselves better, companies need to consider both technical issues, and the role people have to play in cyber security. On the technical side, having the right enterprise level solution is crucial. It should cover file encryption, backups, financial records, customer data, online payment systems, cloud security, industrial control systems and endpoint security, including IoT devices. This should be coupled with IT practices that cover network access, system administration, efficient patching and application controls.
“On the human side of things, it means introducing education programmes that bolster knowledge, improve behaviour and incentivise staff to practice good cyber security hygiene. Introduce sensible security policies: don’t make life difficult for staff. These must be people-centric, be more than box-ticking and be underpinned by scientific evidence,” explains Oz.
Make cyber security part of your CSR policy
With hackers targeting suppliers in order to infiltrate larger organisations, it’s important for companies large and small to treat cyber security as a supply chain issue and there are even calls for it to become a fully-fledged area within CSR policy. In 2018, General Data Protection Regulation (GDPR) came into affect across the EU. It contains robust protections for consumers’ personal data, and cyber attacks are one way in which this can be threatened. However, as highlighted in the UK’s Cyber Security Breaches Survey mentioned above, only 27% of businesses have a cyber security policy in place.
“Regulations aside, there’s an inherent business benefit to properly managing cyber security supply chain risk,” says Oz. “As readers will know, disrupted supply chains eat into margins. Downtime of just a few hours can be catastrophic. A production line going offline can lead to massive losses. Fundamentally, good cyber security makes good commercial sense.”
Reduce the risk to your supply chain
As cyber attacks pose an increasing threat to supply chains, it’s important for both buyers and suppliers to make sure their businesses are prepared. The UK study showed that 74% of companies considered cyber security to be a high priority issue, yet 73% of them had no policy in place. With our Rewards programme, UK suppliers are eligible for exclusive 20% discounts on cyber security training and compliance with CybSafe and CyberSmart. Avoid being among the 43% that could face a breach in 2019.