Cyber-attacks are not always sophisticated. Attacks frequently succeed as a result of poor cyber hygiene and the exploitation of known vulnerabilities. For every highly sophisticated cyber attack such as SolarWinds or NotPetya, there are hundreds of thousands of low-level phishing, denial of service, and ransomware attacks.
Raising cyber resilience across the supply chain, even just the basics of good cyber security hygiene is the first line of defence against cyber attacks. Cyber resilience cannot be seen as simply a matter of securing data or procuring the latest technology. It is about identifying critical components within a supply chain, assessing their potential vulnerabilities, ensuring that the appropriate mitigations and systems are in place, and creating a supportive governance structure.
It starts at the top
To establish a long-lasting change in how businesses manage their cyber risk and improve their resilience levels, advocacy needs to come from the top. A true understanding of the potential business impact that a cyber attack could have ought to provide a clear incentive for organisations to increase investment into cyber defence strategies. A 2021 UKGOV report on the true cost of cyber attacks identified 41 different categories in which a business could suffer financial loss as the victim of a cyber attack.
Cyber attacks are increasingly reaching organisations through vulnerabilities in their suppliers, be this through products, services or any method of communication and connection. Recent high-profile cyber incidents, where attackers have used vulnerabilities in the supply chain as a means to attack companies, are a stark reminder that seemingly “small players” in an organisation’s supply chain can introduce disproportionately high levels of cyber risk.
DCMS’ Cyber Security Breaches Survey 2021 found that just 12% of businesses have reviewed cyber security risks posed by their suppliers and 5% have done this for their wider supply chain. An all too common misconception is that the sophistication and impact of a cyber attack is proportionate to the level within a supply chain vertical. Or, in other words, sophisticated large-scale cyber attacks target large companies, whilst small-time basic cyber attacks target small companies. Wrong!
Yes, this relates to you!
Every business is a supplier and a customer to someone. Companies are now being targeted simply because of who they are connected to or who they do business with. Cyber attackers looking to impact large companies “at the top of a supply chain vertical” are much more likely to target vulnerability weaknesses “much further down” the supply chain. Therefore, no supplier is too small or insignificant to be overlooked. In fact, the reality is that it’s quite the opposite!
It’s not too late (or difficult) to start
So how do companies prepare themselves adequately, in this new era of cyber attacks? Firstly, it’s crucial to understand that every company is a potential target of a cyber attack, regardless of size, industry location etc. It’s vital to address the basics first, and gain a clear undertraining of the strengths and weaknesses within your current security posture.
There are multiple cyber security standards with varying degrees of thoroughness that can provide a framework to work to. For small businesses, start with the cyber security foundations outlined in Cyber Essentials. For larger companies, begin to expand on security best practices using ISO27001 as a framework.
As mentioned above, protecting your own network is only one part of a robust security posture. Next comes an understanding of external risks. Creating a digital twin of your supply chain and identifying critical suppliers that could be a single point of failure. Follow up with those suppliers and ensure that they are operating to the level of security that you expect.
The digital age is making the world more interconnected than ever before and the sophistication of cyber threats is advancing much quicker than the rate of resilience shown by all businesses. An understanding, awareness and proactive approach to cybersecurity will not only save time, money and resource but also provide a competitive edge for companies seeking new business opportunities.