How to identify and manage cybersecurity risks in your supply chain

26 Feb 2019
Article by Achilles

Cybersecurity is a fact of life for businesses. A report published by the UK Department for Digital, Culture, Media and Sport in 2018 showed that 43% of companies surveyed had experienced a cyber attack in the last 12 months. According to Oz Alashe, founder and CEO of CybSafe and Achilles cybersecurity ambassador, the nature of the risk is changing, and cyber attacks are becoming an important supply chain issue.

“When most people think about cybercrime, they imagine sophisticated attacks targeting FTSE 250 businesses, but this isn’t the complete picture,” explains Oz. “On the whole, a majority of criminals don’t tend to target the prosperous and well-defended. They attack the unprepared. This means that, especially for global companies, the chink in their security strategy is usually found not in their own robust networks but in the smaller suppliers they do business with – or even a supplier of a supplier.”

This was highlighted in the utilities sector in 2017, when Russian hackers gained access to the US electric grid via key suppliers of the power companies. The fact that many of the control and analysis systems used in energy production and distribution, aviation, water companies and manufacturing weren’t designed with the threat of cyber attacks in mind makes utilities and infrastructure particularly vulnerable. Companies now face three main threats, says Oz, and they’re all interconnected.

Key cybersecurity risks

1 – Social engineering

This happens when a person is manipulated into giving information or introducing a threat into their company’s systems. Phishing and 419 scams are basic examples most people are aware of but more sophisticated methods can involve gifts, free trials and persuasion using social media. “There is variance from sector to sector, but human-related breaches are ubiquitous,” explains Oz. “Four of the top five causes of data breaches are because of human or process error.”

2 – Malware / ransomware

“Why? In part because it’s so simple. It’s relatively easy to deploy and execute. Ready-made toolkits mean that even an amateur can put together and distribute a ransomware package. The associated risks or costs of carrying out an attack are minimal,” says Oz.

3 – Vulnerabilities in IoT devices

“The growth of the Internet of Things has brought dramatic changes to the cybersecurity landscape in recent years. As connected devices increase in circulation by the day, so the attack surface area also increases. Vulnerabilities in these devices are almost inevitable. Once a critical mass of machines is compromised, criminals can launch DDoS attacks,” explains Oz.

How to mitigate cybersecurity risks

To protect themselves better, companies need to consider both technical issues, and the role people have to play in cybersecurity. On the technical side, having the right enterprise level solution is crucial. It should cover file encryption, backups, financial records, customer data, online payment systems, cloud security, industrial control systems and endpoint security, including IoT devices. This should be coupled with IT practices that cover network access, system administration, efficient patching and application controls.

“On the human side of things, it means introducing education programmes that bolster knowledge, improve behaviour and incentivise staff to practice good cybersecurity hygiene. Introduce sensible security policies: don’t make life difficult for staff. These must be people-centric, be more than box-ticking and be underpinned by scientific evidence,” explains Oz.

Make cybersecurity part of your CSR policy

With hackers targeting suppliers in order to infiltrate larger organisations, it’s important for companies large and small to treat cybersecurity as a supply chain issue and there are even calls for it to become a fully-fledged area within CSR policy. In 2018, General Data Protection Regulation (GDPR) came into affect across the EU. It contains robust protections for consumers’ personal data, and cyber attacks are one way in which this can be threatened. However, as highlighted in the UK’s Cyber Security Breaches Survey mentioned above, only 27% of businesses have a cybersecurity policy in place.

“Regulations aside, there’s an inherent business benefit to properly managing cybersecurity supply chain risk,” says Oz. “As readers will know, disrupted supply chains eat into margins. Downtime of just a few hours can be catastrophic. A production line going offline can lead to massive losses. Fundamentally, good cybersecurity makes good commercial sense.”

Reduce the risk to your supply chain

As cyber attacks pose an increasing threat to supply chains, it’s important for both buyers and suppliers to make sure their businesses are prepared. The UK study showed that 74% of companies considered cybersecurity to be a high priority issue, yet 73% of them had no policy in place. With our Rewards programme, UK suppliers are eligible for exclusive 20% discounts on cybersecurity training and compliance with CybSafe and CyberSmart. Avoid being among the 43% that could face a breach in 2019.


Share


Get great insights in your inbox every month

Subscribe