Securing the supply chain: The imperative of Early Warning Systems
According to Gartner, 89% of businesses have experienced a supply-chain risk event in the past five years. As a matter of fact, it's been found that 80% of cyberattacks begin in the supply chain. A recent survey suggests that 32% of SME business leaders believe that the growing risk of cyberattacks can be attributed to higher rates of supply chain fraud. We've seen several examples of catastrophic incidents in the past few years, including the exploitation of the moveIT vulnerability and previous incidents such as SolarWinds and Kaseya. These are just a few of the attacks that illustrate the consequences of insufficient security and the importance of adequate security standards and communication between partners and suppliers.
There is a common theme of cybercriminals using some form of vulnerability to target third-party suppliers or link in the supply chain to compromise bigger companies. Usually, this is an unpatched vulnerability in software or a social engineering or phishing attack on an employee. The perpetrators of such attacks tend to be larger, sophisticated gangs of cybercriminals. The reason is simple: a successful supply-chain attack takes resources, planning and specialist knowledge to pull off – something that's often beyond the scope of low-level cybercriminals.
Unfortunately, small to medium-sized businesses (SMBs) are particularly vulnerable, as they don't typically have the resources for sophisticated cyber defences. A recent Censuswide survey found that 42% of SME leaders do not believe cybersecurity is a worthy investment, specifically because 21% believe they aren't a target for cybercrime.
The fact is, most tools on the market are aimed at enterprise-level organisations with bigger budgets and scaling requirements, leaving SMBs without sufficient defences to properly secure their systems. Of course, there are the standard best practices and regulations that organisations should follow; however, there are more strategies they can implement to boost their security. One example is a supply chain early warning system (EWS), which, alongside basic security training, can help businesses add an extra layer of security to their networks while providing a clear view of the risk they face.
What is an early warning system?
An EWS is a programme that is used to identify potential security threats in supply chains using internal and external data. This includes anything that can impact the company's supply chain: natural disasters, industry accidents and cybersecurity threats. It analyses and uses this data to notify the decision-makers within the organisation on how best to reduce risk. It also uses learning algorithms that aid businesses in being proactive about unforeseen circumstances and suggest measures to mitigate threats, which, in the long run, helps protect businesses against third-party threats.
Five types of supply chain attacks
In the past 12 months, supply chain attacks have impacted over 10 million people. Unfortunately, the diverse array of delivery methods makes them incredibly difficult to detect:
Watering hole attacks: This is when a hacker inserts malicious software into a website that receives a high amount of traffic from the target business. When someone visits the compromised site, malware instantly infiltrates the individual's defences to gain access to their systems or data.
Compromised software development tools: In this instance, a hacker compromises a supplier's software development tools, infrastructure or processes. Ultimately, it leaves the applications that were built from them vulnerable to zero-day exploits, putting end-users at risk.
Compromised website builders: This occurs when a hacker compromises a supplier's website via a website builder to install malicious software or a redirect script and send any users to the hacker's clone of the original site.
Stolen product certificates: This is when a hacker steals an official product certificate, which enables them to distribute malicious software and applications disguised as legitimate products without raising suspicion.
Third-party data store breaches: When a hacker infiltrates a third-party data centre (via a botnet). Once inside, they can steal sensitive information, which they can sell for profit, ransom back to the victim, leak online or delete.
How can early warning systems protect against these supply chain threats?
An EWS can protect businesses from supply chain attacks as it can:
Detect and respond to network vulnerabilities: The sad reality is that most businesses only realise they have been breached when it's too late. An early warning system can proactively monitor a network for vulnerabilities and malware. In using an EWS, organisations have the time to repair any gaps or breaches before hackers are able to exploit them.
Identify and assess cyber risks: An effective EWS raises an organisation's awareness of external cybersecurity threats. For instance, when the system identifies potentially harmful events, suspicious behaviour or an attacker lurking on the network, it notifies the relevant stakeholders and security teams. This helps businesses quickly spot and assess the level of risk, proactively monitor emerging threats or incidents, and launch incident response plans to minimise or mitigate the potential impact on their business.
Raise stakeholder awareness: By keeping the relevant suppliers, employees and customers informed on current and emerging threats, an EWS can help raise awareness of the current existing supply chain risk facing an organisation. Businesses can then use this information and insight to understand what they should be looking out for and where to invest their cybersecurity budget to protect themselves against various online threats.
Ultimately, cybercriminals have realised that to target high-profile businesses, you don't need to attack the organisation itself. Third parties tend to pose an easier and more appealing target that hackers can use to gain a foothold in larger corporations. As such, we can't expect the threat of supply chain attacks to shrink any time soon. That being said, an EWS adds an extra layer of protection and provides businesses with a clearer view of their risk landscape. In using an EWS, business leaders can remove the need for specialist tools while still remaining protected and improving their overall security. If businesses implement the right security strategies alongside security basics and best practices - such as becoming Cyber Essentials certified - and using an EWS, their chances of breach can be significantly reduced.