Last year, 39% of businesses in the UK discovered that they had been the target of cyber attacks.
Those findings, published by the National Cyber Security Centre (NCSC) in its 2022 Cyber Security Breaches Survey, highlight the ever-present, pervasive and persistent nature of cybercrime.
One attack stands out above all others. According to Brad Smith, vice-chairman and president of Microsoft, the attack on US management software company SolarWinds was the largest and most sophisticated attackever.
The 2020 breach was significant as it compromised SolarWinds data plus the data of 30,000 of its clients. That meant an entire supply chain, which included the US military, the Pentagon, hundreds of leading finance companies and universities.
Professor Steve Schneider, the director of the Surrey Centre for Cyber Security, explains how the attack was carried out. Instead of attacking a raft of major companies and institutions at the front end, the hackers infiltrated a SolarWinds network monitoring program. They then created an extremely sophisticated update, which contained malware. This enabled the hackers to access highly privileged and sensitive data plus the networks and systems of SolarWinds clients.
Since the SolarWinds breach, which was reported in December 2020, there has been no let-up in the number of cyber attacks on supply chains. A study by the European Union Agency for Cybersecurity (ENISA), for instance, revealed that third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in2020.
Audits must be centred on the premise that the chain is only as strong as the weakestlink
According to Black Kite, a cyber security firm which specialises in disrupting third-party risk practices,Air France, KLM and Nissan America are just some organisations reporting data leaks in the past 18 months which were caused by third parties. Another statistic by the NCSC is equally telling. It found that fewer than one in 10 organisations were monitoring risk posed by the supply chain.
But arguably it was 2021, the year in which the world was wrestling with the Covid-19 pandemic, that saw some of the most high-profile attacks. In January of that year, an attack on Microsoft Exchange impacted 250,000 servers, 30,000 companies and the Norwegian parliament.
Six months later, Kaseya, an information technology management and security software company based in Florida, was hit by a ransomware attack that temporarily shut down the operations of around 1,500 companies. In Sweden, the attack led to a supermarket chain being shut down for a week, while in New Zealand schools and kindergartens wereaffected.
All of these larger organisations were targeted through vulnerabilities in smaller third-party partners.
Emily Taylor is the CEO of Oxford Information Labs and an associate fellow of Chatham Houses international security programme. She notes that supply-chain cyber attacks through third-party software providers not only illustrate the vulnerability of digital supply chains but the indiscriminate and widespread damage that such attacks cancause.
Dr Kalina Staykova is assistant professor, information systems and management group, at Warwick Business School and has researched cybersecurity supply chain attacks. She thinks that attacks targeting IT-management providers only tell half thestory.
Cyber attacks come from suppliers across all industry tiers, she says, and adds that while most companies focus on assessing the cyber risks coming mainly from tier-one and tier-two suppliers, threats also come from suppliers deep within the valuechain.
Too often companies underestimate the value of low-tech solutions
She points to a cyber attack on Target, a large US retailer with operations in every US state. In the case of Target, attackers breached its cyber defences by infiltrating a third-party vendor Fazio Mechanical Services, a heating, ventilation and air conditioning company, sheexplains.
This hack begs an important question. Are smaller suppliers that provide services to larger companies more vulnerable to cyber attacks than largervendors?
While few concrete studies validate this hypothesis, research by the NCSC revealed that larger companies, due to increased funding and expertise had more enhanced cybersecurity.
Staykova says there is not enough empirical evidence to make this claim. But equally, she concedes that often by definition smaller suppliers have poorer cybersecurity standards.
But even if it is true that smaller suppliers are at greater risk of cyber attack than their larger counterparts, as they are part of the same supply chain ecosystems, what steps can be taken to keep everyone safe from cyberattacks?
In vast and complex supply chains, Staykova says that maintaining visibility to manage risk is the greatest challenge. To counter this risk, she believes that the traditional, maturity-based approach is outdated and organisations should switch to a risk-based approach to cybersecurity.
For such a risk-based strategy to be effective requires a cultural sea change, thinks Emily Taylor. It is not a technical issue but an all-encompassing strategy that needs to be fully embraced at board level and embedded across the company instead of being left to technical teams to manage on their own, sheadds.
Taylor, who is a specialist in internet law and governance, says a successful approach is not necessarily about installing expensive cybersecurity software and systems. Instead, she thinks it is about staff training and clear policies and procedures that promote awareness, identify weaknesses in the security architecture and mitigate risk. That neednt cost a lot and should be within the capability of every supplier large, medium-sized orsmall.
Schneider agrees. Too often companies underestimate the value of low-tech solutions. Take the principle of least privilege. This policy is effective as it ensures that third-party software should only obtain the access privileges it needs to perform its function. If this simple principle is applied across the value chain then, while it will never eliminate cyber attacks in the supply chain, it closes one particular attackvector.
But there are other approaches which can add value. According to Hiscox, a global cybersecurity insurance provider, third-party attacks can be mitigated by better understanding supply chains and regular audits. So, what should a cyber security audit looklike?
For Staykova the two are linked: Audits must reflect reality, shesays.
They must be centred on the premise that the chain is only as strong as the weakest link and that cyber security defences are not impregnable. Therefore, audits should be complemented by real-world stress tests, where an organisation and its key suppliers come together and conduct table-top exercises in which mock attacks are launched to gauge how staffrespond.
It is not a technical issue but an all-encompassing strategy that needs to be fully embraced at boardlevel
As for shining a light on cyber weaknesses in the value chain, Staykova recommends that organisations in the same supply chain space commission third-party security providers to audit the status of cybersecurity defence by third-party vendors. This would be instead of asking third parties to self-report on this, which is usually done via questionnaires that she says are insufficient to paint an accurate picture of cyberhygiene.
Taylor says in addition to cybersecurity prevention awareness, cyber hygiene across the supply chain must improve across the board. For technical development teams, she notes that external penetration testing (pen testing) can be effective in raising standards of security by design. But she adds that resilience can be improved through organisation-wide training and awareness.
She explains: When there is a major outage, we often assume that its a highly sophisticated cyber attack. But the stark truth is that many outages are caused by human error or breaches that would never have got through if the level of cyber hygiene had beenhigher.
For smaller organisations, an NCSC-backed certification scheme, Cyber Essentials, is within reach and can help to improve standards. But Taylor believes the insurance sector too could play more of a key role in raising the cyber-hygiene bar in thefuture.
A few years ago, there was a belief in policy circles that insurers would ride to the rescue by incentivising organisations to improve standards of cyber hygiene. But that hasnt really happened. I still believe there is a potential virtuous circle to be created by insurers offering lower premiums to suppliers that can demonstrate higher levels ofsecurity.
But,Tim Andrews, a senior cyber underwriter for Hiscox, says that over the past few years the cyber insurance market has significantly increased the baseline requirements for cybercover.
Organisations are now expected to have cyber security controls in place that just a few years ago would have been seen as nice to haves. And underwriters are scrutinising those controls in much greater detail including how those controls have been implemented and are governed, heexplains.
With research from Hiscox also revealing that third-party supplier cyber attacks account for 40% of all ransomware attacks globally, for some vendors that help cant come soonenough.
Excerpt from:
How to reduce cyber attacks in the global supply chain - Raconteur
- Google researchers have cracked a key internet security tool - Recode [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Letter: Internet security is in jeopardy - INFORUM [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- New internet security device launched to safeguard schools against child abuse - Phys.Org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster - Gizmodo [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Data from internet-connected teddy bears held ransom, security expert says - Fox News [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Emsisoft Internet Security 2017.2.0.7219 - TechCentral.ie [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- What you need to know about 'Cloudbleed,' the latest internet security bug - Globalnews.ca [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Google cracks longtime pillar of internet security - MarketWatch [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- BullGuard | Internet Security and Antivirus protection ... [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Internet Storm Center - SANS Internet Storm Center [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Internet-connected 'smart' devices are dunces about security - ABC News [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Derry internet security expert warns that advanced internet technology 'a risk to us all' - Derry Now [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Firewall Test, Web Tools and Free Internet Security Audit ... [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Internet security in the spotlight: How is the internet safer today than it was 20 years ago? - Mobile Business Insights (blog) [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Jim Mullen: Unsocial internet security | Columnists | auburnpub.com - Auburn Citizen [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Internet security company launches a perfume line to promote cybersecurity - Mashable [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Internet security - Wikipedia [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Are you undermining your web security by checking on it with the wrong tools? - The Register [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bruce Schneier on New Security Threats from the Internet of Things - Linux.com (blog) [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Carpe Diem: home internet security - KFOX El Paso [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Motivation Monday: home internet security - KFOX El Paso [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Medical records of 26m patients at risk because of GP surgeries' failing internet security - The Sun [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Free Internet Security | Why Comodo Internet Security Suite ... [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Internet Security Software | Trend Micro USA [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Fix crap Internet of Things security, booms Internet daddy Cerf - The Register [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Internet of Things security: What happens when every device is smart and you don't even know it? - ZDNet [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- CUJO is cuter than Wall-E, and it's the only internet security device you'll ever need - Yahoo News [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- The Senate just voted to undo landmark rules covering your Internet privacy - Washington Post [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- What the Cloudbleed disaster says about the state of internet security - Information Age [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Google Has Declared Symantec Harmful To Internet Security - UPROXX [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Internet Security Analysts: North Korea Is Planning a Global Bank Heist - Breitbart News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Internet Security Firm Confirms WikiLeaks 'Vault 7' At Least 40 Cyberattacks Tied to the CIA - The Ring of Fire Network [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Homeland Security warns of 'BrickerBot' malware that destroys unsecured internet-connected devices - ZDNet [Last Updated On: April 20th, 2017] [Originally Added On: April 20th, 2017]
- A Global Industry First: Industrial Internet Consortium and Plattform Industrie 4.0 to Host Joint IIoT Security ... - Business Wire (press release) [Last Updated On: April 20th, 2017] [Originally Added On: April 20th, 2017]
- Mucheru urges private sector to boost investment in internet security - The Standard (press release) [Last Updated On: April 25th, 2017] [Originally Added On: April 25th, 2017]
- Cloudflare debuts a security solution for IoT - TechCrunch [Last Updated On: April 28th, 2017] [Originally Added On: April 28th, 2017]
- Russian-controlled telecom hijacks financial services' Internet traffic - Ars Technica [Last Updated On: April 28th, 2017] [Originally Added On: April 28th, 2017]
- Avira Internet Security Suite v15.0.26 - TechCentral.ie [Last Updated On: April 28th, 2017] [Originally Added On: April 28th, 2017]
- NSA To Limit Some Collection Of Internet Communication - NPR [Last Updated On: April 29th, 2017] [Originally Added On: April 29th, 2017]
- Report Indicates '10 Concerts' Facebook Trend Could Compromise Your Internet Security - Complex [Last Updated On: April 29th, 2017] [Originally Added On: April 29th, 2017]
- "Improving the World" through Internet Security: Chatting with David Gorodyansky, CEO of AnchorFree - Huffington Post [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Don't Fall For This Tech Support Scam Targeting PC Users - KTLA [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Yikes! Antivirus Software Fails Basic Security Tests - Tom's Guide [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Watch Hackers Sabotage an Industrial Robot Arm - WIRED [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Decoding Internet Security: Spear phishing - Washington Post [Last Updated On: May 5th, 2017] [Originally Added On: May 5th, 2017]
- From the Desk of Jay Fallis: To internet vote, or not to internet vote - BarrieToday [Last Updated On: May 7th, 2017] [Originally Added On: May 7th, 2017]
- Crippling cyberattack continues to spread around the world - Los Angeles Times [Last Updated On: May 14th, 2017] [Originally Added On: May 14th, 2017]
- Cyber Security Experts: Russia Disproportionately Targeted by Malware - Voice of America [Last Updated On: May 14th, 2017] [Originally Added On: May 14th, 2017]
- The Latest: 29000 Chinese institutions hit by cyberattack - ABC News [Last Updated On: May 15th, 2017] [Originally Added On: May 15th, 2017]
- Cyberattack Aftershock Feared as US Warns of Its Complexity - New York Times [Last Updated On: May 15th, 2017] [Originally Added On: May 15th, 2017]
- This week's poll: Priorities for improving internet security - The Engineer [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Akamai Releases First Quarter 2017 State of the Internet / Security Report - PR Newswire (press release) [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Do Macs get viruses? - PC Advisor [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Massive Ransomware Attack Underscores Threats To Internet Security - Benzinga [Last Updated On: May 19th, 2017] [Originally Added On: May 19th, 2017]
- Security News This Week: Hoo-Boy, Mar-a-Lago's Internet Is Insecure - WIRED [Last Updated On: May 20th, 2017] [Originally Added On: May 20th, 2017]
- Internet security firm calls for law to compel information sharing to ... - The Star, Kenya [Last Updated On: May 22nd, 2017] [Originally Added On: May 22nd, 2017]
- Check It Out: No need to unplug after reading books on internet security - The Columbian [Last Updated On: May 22nd, 2017] [Originally Added On: May 22nd, 2017]
- How to beat security threats to 'internet of things' - BBC News - BBC News [Last Updated On: May 25th, 2017] [Originally Added On: May 25th, 2017]
- Best Mac antivirus 2017 - Macworld UK [Last Updated On: May 25th, 2017] [Originally Added On: May 25th, 2017]
- Avira, Kaspersky Top Windows 10 Antivirus Tests - Tom's Guide [Last Updated On: May 25th, 2017] [Originally Added On: May 25th, 2017]
- Paranoid about internet security? Here are the most secure OS options - The American Genius [Last Updated On: May 28th, 2017] [Originally Added On: May 28th, 2017]
- Blockchain Offers Hope for the Broken Internet - Fortune [Last Updated On: May 28th, 2017] [Originally Added On: May 28th, 2017]
- New uses for RFID and security for the internet of things - Phys.Org [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- Security Best Practices for the Internet of Things - Web Host Industry Review [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- Internet infrastructure security guidelines for Africa unveiled - Premium Times [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- In addressing internet security issues, make sure to provide solutions - Minneapolis Star Tribune [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- Whistic Partners with the Center for Internet Security to Extend the ... - PR Web (press release) [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Internet Security Alliance: NIST framework metrics should focus on threats - Inside Cybersecurity (subscription) [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- China cyber-security law will keep citizens' data within the Great Firewall - The Register [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Cyber security: Africa gets Internet security guidelines - TheNewsGuru [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- China to Implement Its First Law on Internet Security After Ransomware Attack - Sputnik International [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Decoding Internet Security: Ransomware - Washington Post [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Internet security upgrade on course - Business Daily (press release) (blog) [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- What's the Safest Laptop For Internet Security? - HuffPost [Last Updated On: June 2nd, 2017] [Originally Added On: June 2nd, 2017]
- Every Day Is Internet Security Day - The Chief-Leader [Last Updated On: June 3rd, 2017] [Originally Added On: June 3rd, 2017]
- 5 Reasons why internet security is crucial in 2017 - Techworm [Last Updated On: June 3rd, 2017] [Originally Added On: June 3rd, 2017]
- Are Pop-Ups An Internet Security Threat? - Good Herald [Last Updated On: June 4th, 2017] [Originally Added On: June 4th, 2017]
- 3 Ways Software Programs Can Help With Internet Security in 2017 - Geek Snack [Last Updated On: June 7th, 2017] [Originally Added On: June 7th, 2017]
- Inside Social Security: Make every day your internet security day - Santa Ynez Valley News [Last Updated On: June 7th, 2017] [Originally Added On: June 7th, 2017]
- SOCIAL SECURITY: Every day is internet security day - Palm Beach Post [Last Updated On: June 7th, 2017] [Originally Added On: June 7th, 2017]