The supply chain is the new weak link in your organisation’s security and may stunt your business’ growth. Threat actors are driven by low-risk and high-reward opportunities ─ however, these are becoming less common among primary sectors. For example, outsourced incident response engagements against financial institutions – the most targeted sector in 2016 - have dropped off significantly as investments into security started to bear fruit. This doesn’t include highly targeted attacks, and organisations should never allow themselves to become complacent regarding security. But for adversaries who cast their nets widely and see what they can drag up, there’s been a distinct decline in success.

Multiple entry points weaken defence

So now they’re looking further afield. Company perimeters no longer end at the firewall. Today’s interconnected world has created many new opportunities and tools for companies, but also more entry points for criminals to try and gain access. Hence we’ve seen a growing focus on supply chains, where security cultures may not be as dynamic, mature, or well-funded.

Supply chains also offer more opportunities, particularly in the business and professional services sector: for example, breaching a lawyer’s systems can enable a cybercriminal to gain access to details about many different customers, not to mention other sensitive data that would otherwise sit behind a company’s more formidable defences.

NTT Security’s 2018 Global Threat Intelligence Report supports this, with business and professional services ranked third globally (10% of attacks), third in the Americas (9% of attacks) and a staggering 20% of attacks in EMEA. The new framework for infrastructure security from US-based National Institute of Standards and Technology (NIST) places significant emphasis on supply chain security. This is a recognised and growing target for adversaries.

It’s not just a question of being secure. An agile business needs an agile supply chain. Imagine how much smoother procurement can be if the appropriate data is shared with the right suppliers, or even automated? This level of sharing and automation does, however, pose security risks and every security hazard is a barrier to those transactions. A non-secure supply chain stunts the growth of a progressive company.

The soft target

Supply chains are becoming very attractive targets, for several reasons:

• Companies often don’t regard supply chain security as their problem.
• Policies implemented at companies often don’t reflect on the value chain.
• Smaller companies may lack the means and incentive to invest in security.
• Supply chains expand the potential number of user targets, who are often undereducated about security.
• Services companies in particular have access to the information of multiple businesses.

This issue is compounded by a lack of visibility and control. As much as a company’s ecosystem extends to its service partners, it’s not as simple to extend policies and other controls to that level.

The nature of attacks

Most security implementations fail because organisations don’t implement proper processes and user education alongside security technology. This is a challenging balance to strike for large, security mature companies, and smaller businesses often don’t give it much thought at all. Many supply chain attacks use malware as their preferred weapons, which often rely on user error to activate them inside a company. User-orientated malware such as trojans and droppers remain steadfast favourites of criminals, while the rise of ransomware (which rose from 1% of global malware in 2016 to 7% in 2017) indicates clear targeting of unaware users.

Users at these companies may not even realise that they’re not even the intended target but rather the adversaries are looking for a way through to their customers. Criminals may also look to position themselves between a company and its suppliers, intercepting communications and altering details such as bank accounts ─ the so-called ‘man in the middle’ attack. An astute user would notice such a problem, but only if they’re aware that it can be done.

More users also expand attack surfaces. Opportunities to steal devices such as laptops and smartphones, containing sensitive information, are real threats. So even a supply chain company’s device management approach can have a tangible impact on its customers. Combine that with the fact that they will have multiple clients the potential damage if a device is compromised, is amplified.

Why are company supply chains becoming softer targets for the modern day cyber criminal? @DimensionData has the answers to protect your company. Tweet this

Securing your supply chain

Companies have to take action on several levels:

• Ensure their suppliers follow standards.
• Liaise with suppliers to increase visibility and create active threat intelligence.
• Expect them to implement a comprehensive security strategy.
• Routinely vet suppliers’ security and cull companies that refuse to modernise.
• Assign leaders who can articulate the risks to both business and IT.

The clear place to start is standards: suppliers that don’t meet the required standards of your sector should implement the necessary updates or be released. This is already a legal requirement in many industries and in some cases companies are expected to routinely audit their suppliers for standards. But this shouldn’t be treated as a compliance checkmark. It’s imperative to improving business and should be part of the company’s strategy. For extra assurance, have the results vetted by an independent body to validate the findings.

Tackling supply chain security

Supply chain companies should form part of your security culture. This means they should be informed and encouraged to inform your organisation regarding any security developments. They are an extension of your intelligence-sharing capabilities. If a supplier thinks it’s being targeted, you should know. Likewise, if you become aware of potential attacks on suppliers, you must inform them. By establishing a healthy rapport regarding security, companies can often pre-empt adversaries and vastly reduce the impact of an attack.

Driving this change in culture is daunting, even more so than adjusting security inside an organisation. Suppliers are not simply proxies to your security: tempting as it is to dictate terms to them, that won’t establish the healthy back-and-forth communication required for effective threat intelligence. Also, don’t forget that their core business is not necessarily your core business and their requirements will be different.

Suppliers should be encouraged to take the matter seriously, not just to secure ongoing business with you, but also to protect future customers. A supplier that takes security seriously and approaches it cooperatively has a distinct competitive advantage. It may be necessary to cull certain suppliers and instead select companies that appreciate these dynamics. That’s not an easy choice to make, but if you have a supplier that’s complacent about security, they represent a threat to your business. A single successful breach could destroy years of cooperation and goodwill in the blink of an eye.

Who takes ownership?

Even though each supplier must have their own security strategy, companies should expect and encourage good security. Someone will need to lead this change among the suppliers. But this isn’t just trickle-down change from the top. Every supplier has its own culture, silos, and IT systems. Whoever leads the change will have to stand alongside partners as they implement change on their side. These are not conversations that will be settled with KPIs and annual reviews. They are more sensitive and need large amounts of care.

It may be a matter of following the reporting. Perhaps the strategy calls for a risk-based technological journey and it may sit with the CIO or CISO. Chief Risk Officers are also popular candidates for security-related issues. Yet the broader supply chain aspect may need input from other types of high-level influencers such as the Chief Financial Officer, Chief Digital Officer, or even the CEO.

Those to which this responsibility is assigned must have the capability of articulating the challenges to both technology and business audiences. This isn’t just about security, but the relationships that feed the business’ output as well as many individuals inside the business. Yet there should be one person or group explicitly in charge. A uniform security strategy, where all parts ─ people, processes and technology ─ move in harmony, is paramount.

No business operates in isolation or remains tucked behind a fortress’ walls anymore. From a security view, companies must regard their supply chains as an inextricable part of their environments. Threat actors know this and they’re moving against those soft targets. Don’t wait for something to happen. Act first to secure your supply chain and its wealth of relationships and experience.