Less than two years ago, in June 2018, when Ticketmaster UK revealed cybercriminals had stolen data from up to 5 per cent of its global customer base via a supplier, it set alarm bells ringing.
The following month, a CrowdStrike report laid bare how ill-prepared organisations all around the globe were against hackers seeking to exploit third-party cybersecurity weaknesses. Two thirds of the 1,300 respondents said they had experienced a software supply chain attack. Almost 90 per cent believed that they were at risk via a third party. Yet, approximately the same number aadmitted they didn’t deem vetting suppliers a critical necessity.
Given Symantec’s latest Internet Security Threat Report, launched early last year, highlighted that supply chain attacks had increased by 78 per cent in 2018, one hopes organisations heeded the warning signs and shored up their third-party cybersecurity policies well before COVID-19 hit businesses.
Experts fear companies that failed to bolster their cyber defences are now even more exposed because supply chains have become fragmented, and hackers, like great white sharks, smell blood. “Criminal groups have recognised that to catch the big fish they need to catch some smaller fish first,” explains James McQuiggan, security awareness advocate at KnowBe4.
To extend the fishing – or rather phishing – analogy: to net the whopper organisations hackers are scooping up the tiddlers in the supply chain, McQuiggan says, as they “may not have the robust security programs and often unable to afford adequate cybersecurity resources or personnel.
“As such, they are potentially more susceptible to social engineering scams or attacks. The criminal groups will attempt to gain access and then leverage the connection to attack a larger organisation.”
You’re only as secure as your weakest link
Predators know when to attack vulnerable prey, and COVID-19 has weakened the cybersecurity of countless organisations. “Coronavirus passes from person to person, and a percentage of victims are asymptomatic, yet can infect others – cyberattacks work in a similar way,” says Matt Lock, UK technical director at Varonis.
“A smaller supplier that’s fallen behind on their basic cyber hygiene can become infected with malware and unknowingly spread it to their business partners.”
Alluding to the issues presented by lockdowns enforced because of the pandemic, he continues: “At first, we were seeing cases where companies took shortcuts to get their employees online to keep their businesses running. Now companies are starting to settle into their new normal. They’re taking a step back, actively trying to rein in access and resolve security issues that cropped up in their race to get everyone the access they needed to do their work.”
Chris Sherry, a regional vice president at Forescout, argues there has never been a more vital time to have a cyber-resilient supply chain. “COVID-19 is the ultimate stress test for many supply chains,” he says. “The demand for critical supplies has never been greater, and it’s the biggest challenge. It’s a marathon to continue with ‘business as usual’ while trying to achieve an output of 150 per cent. Industry 4.0 and the industrial internet of things are driving improvements in operational efficiency, but also leaving suppliers more vulnerable than ever to downtime or data loss if critical processes are interrupted.
“The benefits of operational technology and automation are clear, but they also significantly increase the potential attack surface of any organisation. As bad actors look to take advantage of the crisis, the cybersecurity strategy of any supplier should ensure this is well understood, continuously monitored, and appropriately secured.”
Top tips to shore up cybersecurity
If an organisation’s cybersecurity is only as sturdy as its weakest link in the supply chain, what could – and should – be done in the face of an increasing number of attacks?
“Ultimately, the relationship of ‘trust’ many organisations once had with their third-party suppliers is no longer enough,” says Sherry. “The National Cyber Security Centre puts out a huge amount of guidance on the right questions to ask, as well as the right parameters to measure the security of your supply chain.”
Nigel Stanley, chief technology officer at TÜV Rheinland, agrees that the NCSC is a good source of information, and points to its Cyber Essentials certification scheme, which offers a “base level of cybersecurity assurance”. For him, streamlining supplier assessments is crucial, as is how deeply the supply chain network is traversed.
However, he notes: “Managing this is a challenge as presenting suppliers with 150 questions to answer every month can be a real turn-off. Using supplier contracts to enforce cybersecurity controls can be useful as it links payments and contracts to cybersecurity performance. The problem is how such a program can be implemented proportionately, balancing supplier and customer requirements.”
Criminal groups have recognised that to catch the big fish they need to catch some smaller fish first
The ‘zero-trust’ certification offered by analyst firm Forrester is worth the money to improve cybersecurity across the supply chain, suggests Patrick Martin, head of threat intelligence at Skurio. “Securing the supply chain is key,” he says. “Look for suppliers with certifications like Cyber Essentials Plus and BS 10012 ISO/IEC 27001, and don’t be afraid to ask suppliers and partners to provide proof of their practices.”
Serving up a final piece of expert advice, he adds: “Another great first step is to monitor the deep and dark parts of the web for breached data, credentials and mentions in attack planning scenarios. In this way, businesses can be much better prepared to mitigate an attack if they see it coming.”
Considering Ticketmaster UK’s supply chain breach was almost two years ago, it’s fair to say organisations have had ample time to prepare, but those who failed need to move quickly with the fallout from COVID-19 likely to be long and painful.