Last year, 39% of businesses in the UK discovered that they had been the target of cyber attacks.
Those findings, published by the National Cyber Security Centre (NCSC) in its 2022 Cyber Security Breaches Survey, highlight the ever-present, pervasive and persistent nature of cybercrime.
One attack stands out above all others. According to Brad Smith, vice-chairman and president of Microsoft, the attack on US management software company SolarWinds was “the largest and most sophisticated attack ever”.
The 2020 breach was significant as it compromised SolarWinds’ data, plus the data of at least 100 of its clients. That meant an entire supply chain, which included the US military and the Pentagon, as well as a number of leading finance companies and universities.
Professor Steve Schneider, the director of the Surrey Centre for Cyber Security, explains how the attack was carried out. “Instead of attacking a raft of major companies and institutions at the front end, the hackers infiltrated a SolarWinds network monitoring program. They then created an extremely sophisticated update, which contained malware. This enabled the hackers to access highly privileged and sensitive data plus the networks and systems of SolarWinds’ clients.”
Since the breach, which was reported in December 2020, there has been no let-up in the number of cyber attacks on supply chains. A study by the European Union Agency for Cybersecurity (ENISA), for instance, revealed that third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020.
According to Black Kite, a cyber security firm which specialises in disrupting third-party risk practices, Air France, KLM and Nissan America are just some organisations reporting data leaks in the past 18 months which were caused by third parties. Another statistic by the NCSC is equally telling. It found that fewer than one in 10 organisations were “monitoring risk posed by the supply chain”.
But arguably it was 2021, the year in which the world was wrestling with the Covid-19 pandemic, that saw some of the most high-profile attacks. In January of that year, an attack on Microsoft Exchange impacted 250,000 servers, 30,000 companies and the Norwegian parliament.
Six months later, Kaseya, an information technology management and security software company based in Florida, was hit by a ransomware attack that temporarily shut down the operations of around 1,500 companies. In Sweden, the attack led to a supermarket chain being shut down for a week, while in New Zealand schools and kindergartens were affected.
All of these larger organisations were targeted through vulnerabilities in smaller third-party partners.
How attackers target the weakest link
Emily Taylor is the CEO of Oxford Information Labs and an associate fellow of Chatham House’s international security programme. She notes that supply-chain cyber attacks through third-party software providers “not only illustrate the vulnerability of digital supply chains but the indiscriminate and widespread damage that such attacks can cause”.
Dr Kalina Staykova is assistant professor, information systems and management group, at Warwick Business School and has researched cybersecurity supply chain attacks. She thinks that attacks targeting IT-management providers only tell half the story.
“Cyber attacks come from suppliers across all industry tiers,” she says, and adds that while most companies “focus on assessing the cyber risks coming mainly from tier-one and tier-two suppliers, threats also come from suppliers deep within the value chain”.
She points to a cyber attack on Target, a large US retailer with operations in every US state. “In the case of Target, attackers breached its cyber defences by infiltrating a third-party vendor – Fazio Mechanical Services, a heating, ventilation and air conditioning company,” she explains.
This hack begs an important question. Are smaller suppliers that provide services to larger companies more vulnerable to cyber attacks than larger vendors?
While few concrete studies validate this hypothesis, research by the NCSC revealed that larger companies, due to “increased funding and expertise” had “more enhanced cyber security”.
Staykova says there is not enough empirical evidence to make this claim. But equally, she concedes that “often by definition smaller suppliers have poorer cybersecurity standards”.
Security as a holistic strategy
But even if it is true that smaller suppliers are at greater risk of cyber attack than their larger counterparts, as they are part of the same supply chain ecosystems, what steps can be taken to keep everyone safe from cyber attacks?
In vast and complex supply chains, Staykova says that “maintaining visibility to manage risk” is the greatest challenge. To counter this risk, she believes that “the traditional, maturity-based approach is outdated and organisations should switch to a risk-based approach to cybersecurity.”
For such a risk-based strategy to be effective requires a “cultural sea change”, thinks Emily Taylor. “It is not a technical issue but an all-encompassing strategy that needs to be fully embraced at board level and embedded across the company instead of being left to technical teams to manage on their own,” she adds.
Taylor, who is a specialist in internet law and governance, says a successful approach is “not necessarily about installing expensive cybersecurity software and systems”. Instead, she thinks it is about staff training and clear policies and procedures that promote awareness, identify weaknesses in the security architecture and mitigate risk. That needn’t cost a lot and should be within the capability of every supplier – large, medium-sized or small.”
Schneider agrees. “Too often companies underestimate the value of low-tech solutions. Take the principle of least privilege. This policy is effective as it ensures that third-party software should only obtain the access privileges it needs to perform its function. If this simple principle is applied across the value chain then, while it will never eliminate cyber attacks in the supply chain, it closes one particular attack vector.”
Simple steps for better cybersecurity
But there are other approaches which can add value. According to Hiscox, a global cybersecurity insurance provider, third-party attacks can be mitigated by better understanding supply chains and regular audits. So, what should a cyber security audit look like?
For Staykova the two are linked: “Audits must reflect reality,” she says.
“They must be centred on the premise that the chain is only as strong as the weakest link and that cyber security defences are not impregnable. Therefore, audits should be complemented by real-world stress tests, where an organisation and its key suppliers come together and conduct table-top exercises in which mock attacks are launched to gauge how staff respond.”
As for shining a light on cyber weaknesses in the value chain, Staykova recommends that organisations in the same supply chain space “commission third-party security providers to audit the status of cybersecurity defence by third-party vendors”. This would be instead of asking third parties to self-report on this, which is usually done via questionnaires that she says “are insufficient to paint an accurate picture of cyber hygiene”.
Taylor says in addition to cybersecurity prevention awareness, “cyber hygiene across the supply chain must improve across the board”. For technical development teams, she notes that external penetration testing (pen testing) “can be effective in raising standards of security by design”. But she adds that resilience can be improved through organisation-wide training and awareness.
She explains: “When there is a major outage, we often assume that it’s a highly sophisticated cyber attack. But the stark truth is that many outages are caused by human error or breaches that would never have got through if the level of cyber hygiene had been higher.”
For smaller organisations, an NCSC-backed certification scheme, Cyber Essentials, is within reach and can help to improve standards. But Taylor believes the insurance sector too “could play more of a key role” in raising the cyber-hygiene bar in the future.
“A few years ago, there was a belief in policy circles that insurers would ride to the rescue by incentivising organisations to improve standards of cyber hygiene. But that hasn’t really happened. I still believe there is a potential virtuous circle to be created by insurers offering lower premiums to suppliers that can demonstrate higher levels of security.”
But, Tim Andrews, a senior cyber underwriter for Hiscox, says that over the past few years the cyber insurance market has significantly increased the baseline requirements for cyber cover.
“Organisations are now expected to have cyber security controls in place that just a few years ago would have been seen as ‘nice to haves’. And underwriters are scrutinising those controls in much greater detail – including how those controls have been implemented and are governed,” he explains.
With research from Hiscox also revealing that third-party supplier cyber attacks account for 40% of all ransomware attacks globally, for some vendors that help can’t come soon enough.