Posted 8th January 2023
The most dangerous cyber-attacks are often those made against companies that make up supply chains, as they often have far-reaching consequences across many different businesses and organisations.
A prime example of a supply chain attack is the one suffered by AccessPress. AccessPress is a WordPress plugin developer and is used in over 360,000 websites across the globe. AccessPress was the victim of a huge supply chain attack; it is believed that 93 WordPress themes and plugins were by ‘backdoored’ versions, which gave the hackers full access to websites that had inadvertently installed the altered themes and plugins. There were multiple other high-profile supply chain attacks in 2022, including, Log4Shell vulnerability, SolarWinds and Comm100 to name a tiny portion of the companies that suffered.
Supply chain attacks are growing, in October 2022, the NCSC (National Cyber Security Centre) issued new guidance due to the recent rise, and it is expected that both attempted and successful supply chain attacks will continue to grow in numbers in 2023. If your business is not prepared, then being affected by a supply chain attack will mean that you will likely lose access to services and data as a result. As part of your Cyber Security Strategy, it is vital to look at what you would do in the case of a supply chain attack and ensure you have a plan in place to mitigate any risks and recover in the event of a successful attack.
Undertaking an assessment of your cyber security is vital to understanding how much of a risk your business is at. There are various elements you need to consider including, but definitely not limited to:
This is where your weakness lies in respect of supply chain attacks; it is important to know your suppliers. When businesses consider suppliers, they do not always consider the software that is being used; this is a significant mistake in the current cyber threat climate. The 2022 attacks on AccessPress and the Log4Shell vulnerability have highlighted the risks involved in not only the software you use but also the software your suppliers use as well.
Remember, your business could well be the intended target of the supply chain hackers, who are looking for the path of least resistance to reach you; your suppliers could well be the entry point they are looking for. Alternatively, your business may be a potential entry point to the end target; and lapses in your security could be putting another business at risk.
So, make a list of all your suppliers, including software, that you use in your business and review them to help identify potential risks to your cyber security.
Having a defined set of minimum cyber security standards as part of the supplier vetting process can help minimise cyber threats. Whether you define your own standards or you chose an IASME or Government backed accreditation such as Cyber Essentials is entirely your choice. Your clearly defined security requirements can also become part of your business’s digital data policy, and your suppliers can understand from the very start of your relationship what is expected of them.
Cyber threats are ever present, with the 2023 cyber threat trends including Malware and Ransomware, to name just two, which means that the risk of a successful attack must be considered. It is essential that all business-critical data is backed up regularly and separately from your main systems.
Even Microsoft recommends that its customers back up their data held in Microsoft 365 with a third-party tool in a separate platform. This protects the data in the event of a cyber-attack.
Keeping your business operational or returning your business to full functionality as quickly as possible after a cyber-attack is key to a business surviving the attack, both from a financial and reputational considerations.
This is why having a wide network of potential suppliers that you can do business with could be advantageous; that way, your business does not rely on just one supplier for a particular part of your business offering. This way, if you were exposed to a supply chain attack, then you may be able to pick up working again much quicker. Think of this network as a necessary safety net.
It’s important to be open about the potential risks of a supply chain attack and the effect it may have on your business. Contact us for a review of your cyber security to ensure that you are protected.