Colin Fraser, Director & Co-Founder i-confidential
2024 marks the year supply chain cyber attacks became a mainstream concern, disrupting industries worldwide.
From the aftermath of the attack on Change Healthcare, which impacted 67,000 pharmacies across the US, and even saw doctors having to remortgage their homes, to the more recent attack on Synnovis which disrupted vital medical testing services in the UK, supply chain attacks have caused havoc across the globe, with thousands of organisations combatting their dangerous and costly consequences.
Supply chain attacks occur when a link in a digital supply chain, such as a software provider or a critical service, becomes compromised. The incident often prevents the movement of important goods or services, which then has a knock-on effect for others down the line.
If we just think of supply chain security outside the realms of cyber, for instance a key water crossing being blocked, it’s sometimes easier for the uninitiated to understand its importance.
In 2021, the world experienced this firsthand when the Suez Canal was obstructed. A 400-metre-long vessel was hit with strong winds and ended up getting wedged across the waterway and blocking all traffic until it could be freed. The obstruction occurred south of the two-channel section of the canal, so there was no way around it for other ships. Five days after the initial blockage occurred, at least 369 ships were queuing to pass through the canal, stranding an estimated $9.6 billion worth of trade, showcasing the profound ripple effects a single disruption can have.
This highlights that when a key supplier is blocked or locked out of service, it can have a cascading effect on others – preventing them from operating, which then impacts their customers and can cause substantial financial losses. However, in the world of cyber, the attack surface and the ability to launch continuity-shattering supply chain attacks grows every day.
Most organisations today are digital businesses, and they are increasingly becoming co-dependent because of a reliance on shared services. But this also expands their digital attack surface and makes it easier for criminals to harm them. They only need to find one weak link in the chain, and this can offer them the opportunity to bring everything crashing down. Given these consequences, it’s important that organisations take time to understand supply chain risks and work to remediate them.
The state of supply chain security
Unlike other areas of cyber, most organisations still have a limited understanding of the importance of their supply chain on operations. This is largely because they have an incomplete view of their estate, so they don’t know how dependent their services are on those provided by partners and suppliers.
Not knowing what services are critical to their operations puts organisations at real risk. Organisations must know all their suppliers, from their first tier all the way down to the fourth and fifth tiers. Otherwise, they don’t know who’s really important to them, so they will have great difficulty controlling and protecting themselves.
Furthermore, new regulations are being actively introduced to help organisations bolster the security of supply chains. The UK government recently announced the launch of the Cyber Security and Resilience Bill, which is designed to improve the security surrounding operators of essential services and critical industries.
The UK has seen firsthand the damage that can be caused to the NHS and its citizens when a successful attack hits a supplier, so the government is working hard to avoid more of these situations occurring in the future.
This is a positive step forward. It means critical suppliers will have no choice but to improve their security practices because regulators will soon want to see evidence of this
But what other steps can organisations take to improve the security of their supply chain?
Improving supply chain security
The first step any organisation can take to improve supply chain security is mapping out their estate and their partner and supplier eco-system.
This inventory needs to show details of all suppliers and partners and then map how the organisation works with them. The key goal is to identify the high-risk suppliers that would have an impact on the organisation if their services went down.
Organisations must then take time to understand the security practices of these organisations and ensure they are secure and adopt good cyber hygiene. This type of information can be shared via questionnaires, or via reports that go to executives or management. This will allow organisations to identify any security concerns which could put them at risk.
Once these suppliers have been identified, it’s also important to assess the impact that would occur if their services were taken down. This can be achieved through incident response planning, where organisations fire drill different scenarios. A key part of this must also be around devising contingency plans to ensure the organisation can still function, even if a critical supplier is taken out of service. Another key component that can improve supply chain security is information sharing with partners. This can be around threat intelligence, or even passing on security guidance to less mature organisations in the supply chain.
Supply chain security is a key concern for organisations today and it’s vital businesses take time to improve their third-party resilience. This will help safeguard their processes, customers, and continuity, even if only one link in the chain is broken.