Supply chain attacks aren’t a new form of cybercrime but are increasingly common. So, what is it, and how do you avoid one?

A supply chain attack uses suppliers or vendors to deliver malicious software to as many organisations as possible. Attackers can leverage software and hardware to plant the attack, and supply chain attacks occur in every industry.

In 2022, supply chain attacks impacted more than 10 million people, compared to the 4.3 million affected by malware-based attacks. Some examples include:

  • The Target US attack in 2013 was one of the first well-publicised supply chain attacks. In this instance, a phishing attack on Target’s air conditioning contractor led to hackers gaining remote access to the Target system. Because the company didn’t have segregated access, the hackers could then access the personal information and credit card details of 70 million customers.

  • The SolarWinds attack in 2020/21, where more than 18,000 customers applied a software update, unknowingly allowing a remote access trojan to infect their customers’ systems and networks. This attack is notorious in the industry due to its scale and the fact that it remained undetected for months.
  • The 3CX phone system attack at the end of March, where hackers used the communication software to infiltrate 3CX’s customer base. This cyber incident was interesting because the recent supply chain attack was made possible by a previous supply chain attack where a financial software firm, Trading Technologies, distributed a software package that had been tampered with.

Experts view the increasing number of supply chain attacks as one of the biggest threats to enterprises in 2023. But like any other cybersecurity threat, there are ways that you can minimise your risk of a breach.

1. Review your current access levels

First, let’s look at your current security levels. Do you know who has access to your system? And how well do you know and trust each of them? Some examples to be wary of include previous employees who have left the company, suppliers or contractors who were given temporary access that no one remembered to cancel from the system.

Don’t make the mistake of only considering your payment software or customer database. Just like in the Target supply chain attack, malicious actors can gain access through a supplier you may not have seen as a high risk. Imagine that a hacker infiltrated your CCTV system. They could then gain a foothold in the network and start going wherever they wanted. The Internet of Things (IoT) means that equipment such as your smoke alarms, door locks, temperature sensor and smart grid may be accessible through machine-to-machine interaction. The access to each needs to be segregated, secured and actively managed.

2. Implement an assurance process for vendors

How high risk is the organisation from a cybersecurity perspective? To assess the risk level, consider the owners and shareholders, the business’s location, and any potential benefits a foreign government may gain from interfering with the organisation. It might sound like a scene from a spy movie; however, politics is a relatively common motive for hackers and shouldn’t be discounted.

You also need to assess how robust the business’s internal cybersecurity practices are. The primary challenge with supply chain attacks is that the malicious actor is leveraging another company’s weakness, making it harder for you to control and protect against. You might ask the company questions like:

  • How they protect their supply chain
  • How they handle cyber security incidents
  • How frequently they conduct penetration testing
  • What kind of employee training they provide

The ACSC has a comprehensive list to assist you.

3. Use the principle of least privilege (PoLP)

As mentioned when we discussed reviewing your current access levels, it is common for employees, suppliers and contractors to have access they don’t require. Within cybersecurity, a principle known as the Principle of Least Privilege suggests that users should only have access to the specific data and applications needed to complete their assigned role. This approach ensures you minimise the potential attack surface and safeguard against human error.

Companies often use Role-based access control to implement the PoLP, which means that employees are restricted based on their role within the organisation. If someone changes positions internally, their access is updated to reflect their new required access. It simplifies the onboarding and offboarding process and makes it easier to set up third-party contractors who need temporary access.

What protections do you have to minimise the risk of a supply chain attack? The potential cost to any business impacted is high, not only from a monetary perspective but also in the loss of trust with your customer base.