Supply chain attacks aren’t a new form of cybercrime but are increasingly common. So, what is it, and how do you avoid one?
A supply chain attack uses suppliers or vendors to deliver malicious software to as many organisations as possible. Attackers can leverage software and hardware to plant the attack, and supply chain attacks occur in every industry.
In 2022, supply chain attacks impacted more than 10 million people, compared to the 4.3 million affected by malware-based attacks. Some examples include:
Experts view the increasing number of supply chain attacks as one of the biggest threats to enterprises in 2023. But like any other cybersecurity threat, there are ways that you can minimise your risk of a breach.
1. Review your current access levels
First, let’s look at your current security levels. Do you know who has access to your system? And how well do you know and trust each of them? Some examples to be wary of include previous employees who have left the company, suppliers or contractors who were given temporary access that no one remembered to cancel from the system.
Don’t make the mistake of only considering your payment software or customer database. Just like in the Target supply chain attack, malicious actors can gain access through a supplier you may not have seen as a high risk. Imagine that a hacker infiltrated your CCTV system. They could then gain a foothold in the network and start going wherever they wanted. The Internet of Things (IoT) means that equipment such as your smoke alarms, door locks, temperature sensor and smart grid may be accessible through machine-to-machine interaction. The access to each needs to be segregated, secured and actively managed.
2. Implement an assurance process for vendors
How high risk is the organisation from a cybersecurity perspective? To assess the risk level, consider the owners and shareholders, the business’s location, and any potential benefits a foreign government may gain from interfering with the organisation. It might sound like a scene from a spy movie; however, politics is a relatively common motive for hackers and shouldn’t be discounted.
You also need to assess how robust the business’s internal cybersecurity practices are. The primary challenge with supply chain attacks is that the malicious actor is leveraging another company’s weakness, making it harder for you to control and protect against. You might ask the company questions like:
The ACSC has a comprehensive list to assist you.
3. Use the principle of least privilege (PoLP)
As mentioned when we discussed reviewing your current access levels, it is common for employees, suppliers and contractors to have access they don’t require. Within cybersecurity, a principle known as the Principle of Least Privilege suggests that users should only have access to the specific data and applications needed to complete their assigned role. This approach ensures you minimise the potential attack surface and safeguard against human error.
Companies often use Role-based access control to implement the PoLP, which means that employees are restricted based on their role within the organisation. If someone changes positions internally, their access is updated to reflect their new required access. It simplifies the onboarding and offboarding process and makes it easier to set up third-party contractors who need temporary access.
What protections do you have to minimise the risk of a supply chain attack? The potential cost to any business impacted is high, not only from a monetary perspective but also in the loss of trust with your customer base.