Protecting your place in the supply chain

Tom Exelby at Red Helix argues for the importance of being a team player

 

In our highly interconnected world, supply chain attacks, in which a hacker or crime group infiltrates one company to gain access to the data or assets of others, have become a growing danger. Their increase has prompted this year’s Verizon Data Breach Investigations Report to include a new “supply chain interconnection” metric, registering a 68% year-on-year growth. 

 

This systematic targeting of commercial relationships has become increasingly sophisticated, requiring companies to adopt a more active approach, especially among small and mid-tier organisations that criminals often see as a supply chain’s weakest link.

 

The battle between an attacker and a SME can seem to be one of unequal resources. Many attacks are now conducted by state-affiliated groups with considerable global expertise. Both CrowdStrike (in its 2024 Global Threat Report) and Verizon cite last year’s example of the supply chain attack by North Korean APT actors on the phone system software company 3CX’s VoIP desktop client. This attack targeted 3CX’s customers using “trojanised” desktop application variants. 

 

IT service-providers working as part of a connected supply chain are frequently the focus, as hackers seek to use their access privileges to steal or ransom the customer data, intellectual property, code, plans and blueprints or financial assets of larger companies. The attacks using the SolarWinds software update platform in 2020, and the Kaseya patch management tool in 2021 are the most notorious examples, affecting tens of thousands of companies. 

 

Too many points of entry

Attacks may begin with phishing emails that deliver malware through embedded scripts, PDFs with malicious links, or files with macros. This year’s IBM’s X-Force Threat Intelligence Index notes how the illegitimate use of valid account credentials increased significantly in 2023 as hackers sought to get round improved detection and prevention capabilities. CrowdStrike points to increased targeting of poorly protected network peripheries as hackers seek to evade end-point detection and response sensors. 

 

This is why it is vital that companies employ robust access tools, such as Zero Trust Network Access (ZTNA) to reduce the ease-of-entry for hackers. ZTNA not only helps prevent the use of compromised credentials by criminals, but also reduces the risk of lateral movement within the network.

 

Since some individuals in the supply chain will need access to applications and network locations, often using devices for which they have no visibility into their potential state of compromise, ZTNA ensures that third-party access is meticulously controlled, authenticated, and restricted only to required resources and for pre-set durations.

 

The challenge with supply chain security is that technology delivers greater operational efficiency through integration and automation, requiring data-sharing at increased volume and speed. Tools that require API access to pivotal systems like Customer Relationship Management (CRM) or accounting software are potential gateways for hackers that could unleash a domino effect of catastrophic data loss and operational disruptions. Securing these data flows across every link in a vast supply chain is extremely difficult. 

 

An active approach needed

While there is growing awareness of the need for more advanced vigilance and specialist protection in supply chains, it is not matched by sufficient action. This year’s UK Government Cyber Breaches Survey found smaller businesses have limited formal procedures to manage supply chain risks. Only 11% of businesses review the risks posed by their immediate suppliers and only 10% examine their wider suppliers. 

 

Large and mid-sized businesses are, however, using their position to insist suppliers adhere to best practice cyber-security guidelines and frameworks. We are likely to see more stringent contractual requirements for companies to demonstrate compliance before they gain approval as suppliers. Due diligence will be more detailed in its examination of cyber-security.

 

In more closely regulated industries, such as telecoms and finance, new mandates are in place to drive up security standards. Both the Telecommunications (Security) Act and the EU’s DORA have stipulations requiring organisations to address the risk of working with third party suppliers. 

 

For other industries, the need to act is still there, not just to protect their own assets, but to protect others in their chain as well. The risk is further magnified with every new vendor or service provider introduced to the chain. 

 

Addressing every angle of attack 

Reducing these multifaceted threats requires an all-encompassing approach, understanding that even routine, seemingly secure processes carry potential threats. 

 

One common oversight is underestimating the risks associated with regular software updates. Before deployment in the live environment, patches and software updates should be scrutinised in a controlled setting to ensure they do not introduce new vulnerabilities.

 

Security audits also need to be frequent and rigorous, especially before integrating any third-party. This provides evidence of an active stance on security measures and is beneficial when dealing with organisations that want, for example, to see evidence of pen testing. Pen tests should be annual, at the very least. Incorporating social engineering into these tests is also highly advised, as the ’human firewall’ is often the weakest link in a security defence.

 

Organisations should also establish an unbroken monitoring mechanism for every component of their own supply chains, paired with regular updates of security protocols and software. Access to industry intelligence about potential threats is also a necessity since the criminals’ tactics are constantly evolving. Intelligence-sharing strengthens defensive postures for all concerned.

 

Maintaining visibility of public-facing email domains also reduces the potential for spoofing and allows quick identification of impersonation attempts. This should go hand-in-hand with improved training for staff to counter the dangers of phishing.

 

Where businesses have embarked on digital transformation projects, a fuller understanding of risks is critical. A breach in a hosting provider, for example, can lead to severe loss of data – as evidenced in last year’s CloudNordic and AzeroCloud ransomware attacks which resulted in many customers losing all data.

 

Successful integration in a supply chain

The skills and time required for this higher level of supply chain security can be hard to come by internally, so the most obvious route is through engagement of specialist partners. They are more likely to have the expertise to conduct the rigorous security audits, continuous monitoring, provision of intelligence and implementation of tools like ZTNA.

 

Each company must seek out the best security partner available. This way, companies not only protect themselves, but also help protect all the businesses they are connected to.

 

Supply chains are now so complex and vital in a highly interconnected world that each company involved must prioritise security. Increasingly, large companies are seeking to consolidate their supplier bases, making it more important than ever to ensure security controls are robust. Suppliers must demonstrate they are actively complying with best practice protocols and frameworks, such as Cyber Essentials certification. 

 

There is a simple message – if cyber-crime does not get you, lost customers will. The risks are very high, and nobody wants to be shut out of a potentially highly lucrative contract for want of effective security or failure to comply with risk assessments.

 

Demonstrable compliance with frameworks, processes and safeguards is an increasing necessity for any potential supplier, providing a foundation for secure growth and profitability in the face of hostile threat actors.

 

---

 

Tom Exelby is Head of Cyber Security at Red Helix

 

Main image courtesy of iStockPhoto.com and urzine