You may have seen the online game Among Us if you have a teenager at home. Set on a space station, players run around as identical-looking aliens until one player gets bumped off. The remaining players must guess which of their fellow players is a mole wreaking havoc.
An old idea with a modern makeover, the online game isn’t a million miles away from the new frontier of cyber threats: supply chain attacks. From CloudHopper to SolarWinds, businesses have seen email fraud and account compromise bring down entire systems. Most worryingly, companies can no longer rely on their security systems – all it takes is a cyber security chink in the supply chain for sensitive data to be leaked to criminals.
Our industry isn’t naive to the rising number of attacks capitalizing on our ever-increasing interconnectivity. As small and large businesses share data and assets at scale, our collective vulnerabilities multiply, becoming more attractive targets for attackers hoping to see the dominoes fall one by one.
A primary method criminals use to attack supply chains is impersonation, which can be remarkably sophisticated. Cybercriminals can spend months stalking employees’ social media accounts and company press releases to work out supply chain details, deducing where they might insert themselves to fraudulently divert invoices or encourage employees to engage in phishing scams.
While global businesses may have the resources to employ cyber security teams that can assess and contain the risk of attacks such as these, increasingly, criminals are targeting smaller companies lower down the chain as backdoors to compassionate consumer data.
Cybersecurity professionals have come under immense pressure over the past 18 months to manage the threat on multiple fronts. Whereas ten years ago, only the most sophisticated cyber criminals – usually sponsored by hostile states – could cripple national infrastructure and global business, individual hackers carrying out ransomware attacks now represent a more significant risk to UK national security, according to the National Cyber Security Centre.
So how can we ensure that cyber security remains robust down the entire length of supply chains?
Businesses must acknowledge their shared responsibility to ensure the supply chain is cyber-secure. All companies are responsible for securing themselves to protect their stakeholders, clients, and customers. However, according to the DCMS Cyber security breaches survey published in March 2021, only 12% of UK businesses have assessed the cyber security risk their suppliers pose.
That is a sobering statistic and reflects a general attitude among C-suite executives that cyber security is still a secondary management consideration. A common concern raised by CISOs is the lack of resources to protect company systems adequately, let alone assess suppliers’ methods.
We, therefore, need a shift in emphasis. It is no longer excusable to scapegoat under-resourced cybersecurity departments or naturally expect suppliers to be sufficiently secure. Cyber security, including assessing cyber security compliance down the supply chain, should be integral to every business operating today’s ever-more online world. Suppliers need to be held to minimum cyber security requirements.
As cyber-attacks become more frequent and sophisticated, businesses must ensure they are not left behind. Now more than ever, companies should take advantage of the prolific knowledge-sharing projects within the cyber security industry, such as SASIG, to stay updated and alert to the latest threats.
It is also vital that the industry makes its voice heard as the government considers its new cyber security strategy.
