Supply chain attack prevention

Supply chain security is a growing concern amid the increasingly complicated geopolitical landscape. Most organizations work with third parties – often in different countries - to manage their systems and create, manufacture, and deliver their products. However, this means supply chain vulnerability is a real threat that could affect a company’s operations. The issue is particularly pertinent now as businesses increasingly rely on cloud services such as those from Open AI and Meta, all of which can create significant threats.

Many countries are now putting secure supply chain management on the national agenda, passing recommendations and legislation to ensure the integrity of these crucial global networks. However, the onus remains on companies to manage their supply networks effectively, especially when many business functions are managed online and in the cloud.

Let’s look at what supply chain vulnerabilities are most critical in today’s business environment and how to mitigate these risks.

What is a supply chain attack?

Supply chain attacks are specific cyber threats that see attackers breach an organization’s network by exploiting vulnerabilities in its supply chain. While most companies need to work with third-party vendors, these external suppliers often require sensitive data from the company to integrate them within their systems. If the vendor is compromised, all their clients – the businesses they work with – could also suffer from data breaches.

 Types of supply chain cyberattacks

A supply chain attack can come in many guises, depending on exactly where in the chain – and how – an attacker decides to target a business. Some supply chain attack examples are:

• Malware: many supply chain attacks are executed through viruses, ransomware, and other malicious software.
• Phishing attacks: may involve using social engineering techniques to manipulate a company’s employees into revealing sensitive data or user credentials.
• Distributed Denial of Service (DDoS): DDoS attacks block an organization’s network with heavy traffic, causing major disruptions that stall supply chains.
• Compromising suppliers: in this instance, supply chain security is compromised by targeting weak points in a business’s supplier networks.
• Supplier fraud: untrustworthy vendors may offer products and services with compromised supply chain security.
• Software tampering: attackers may manipulate authentic software, introducing vulnerabilities that can later be exploited to carry out attacks.
• Data manipulation: where attackers purposely falsify data within a business’s supply chain.
• Network breaches: these compromise the networks, or interconnected devices, between vendors and clients; this could include IoT devices and network hardware.

Supply chain vulnerabilities

As supply chains become ever more complicated, there’s a corresponding increase in the challenges of cybersecurity in supply chains. Here are a few of the most pressing issues in secure supply chain management today:

1. Subpar vendor performance, stemming from political or financial dependence or exposure to natural disasters.
2. Complex demand planning, resulting from an inability to predict demand accurately.
3. Shortage of skilled labor globally, most critically in understanding supply chain security monitoring and best practices.
4. A volatile economy with increased inflation and predictable pricing makes it difficult to negotiate with suppliers and effectively manage inventory.
5. Hard-to-navigate network of global and local sanctions and regulations.
6. Geopolitical tensions can disrupt or complicate supply chains.
7. Potential for reputational damage from subpar environmental, social, and governance (ESG) practices among vendors.
8. Potential natural disasters from changing climates.
9. Increased cyber risks resulting from an overreliance on the cloud and other digital technologies among suppliers and organizations.

Employees and supply chain vulnerability

Employees should be a critical line of defence in supply chain attack prevention for businesses. They may have access to a company’s sensitive data or login credentials that grant access to this data. For this reason, some supply chain attacks target employees and turn them into unwitting attack vectors. These attacks often use phishing emails and social engineering to access a third-party supplier’s network and infiltrate the target business’s network.

For this reason, it’s essential that companies – and suppliers who work within the supply chain – ensure that employees understand supply chain security best practices. This protects the company and its clients.

Many companies implement rigorous employee awareness training programs as part of their supply chain resilience strategies. These may include:

• Real-world examples to illustrate how supply chain attacks work.
• Common phishing scams and social engineering techniques.
• Interactive training to boost learning.
• Specific threats, like malware.
• Implementing access control so that employees know who should have access to what data.
• Learning how to safely work with third-party suppliers, such as establishing security requirements and conducting regular audits.
• How to appropriately manage and share sensitive data, including verifying identities.
• The importance of secure communication methods.

Kaspersky offers several training programs and tools vendors may find helpful in boosting employee awareness of cybersecurity in supply chains. For example, the Kaspersky Security Awareness Tool assesses employees’ cybersecurity skills, while the Kaspersky Automated Security Awareness Platform offers valuable knowledge about mitigating cyber threats like phishing and preventing reputational damage.

Key steps to supply chain security

There are various things companies can do to enhance security chain security within their businesses. Below are some of the most recommended actions to take:

1. Implement honeytokens, which act as decoys in case of attacks and alert organizations to breach attempts.
2. Use a robust cloud security solution.
3. Use an effective privileged access management framework to prevent the common attack sequence of moving laterally through a network to find privileged accounts to access sensitive data; this can include detecting third-party leaks, implementing Identity Access Management, and encrypting all internal data.
4. Educate staff about common supply chain security threats, including phishing scams, social engineering, DDoS attacks, and ransomware.
5. Implement a Zero Trust architecture, which allows access to intellectual property only after connection requests pass strict assessments – this is useful for remote work, too.
6. Identify and mitigate potential inside threats – though challenging, regular employee engagement and open work culture can be useful in identifying company-wide issues before employees become hostile and potentially malicious.
7. Identify vulnerable resources by speaking to suppliers and mapping out potential attack vectors.
8. Limit access to sensitive data by minimizing privileged access and record all employees and vendors who have access to sensitive data.
9. Ensure that vendors have internal security measures by outlining standards and requirements for data access and use in contracts – explicitly state that the organization must be notified if the vendor suffers a data breach.
10. Diversify suppliers to mitigate potential supply chain vulnerability.
11. Assume data breaches are inevitable and protect employees, processes, and devices from compromise – this can include using antivirus software, multifactor authentication, and attack surface monitoring solutions.
12. Understand how global labor shortages can affect supply chains and find supply chain resilience strategies for this.

Legalisation and supply chain security

Although most supply chain considerations focus on businesses, many governments are taking notice and implementing national-level security measures. This is because supply chain issues can have major national implications.

Below is an overview of how some countries are moving to enhance supply chain security:

The EU

The EU is moving to boost secure supply chain management with its new NIS2 Directive. This outlines three mechanisms for enhanced supply chain security: coordinated risk assessment at the EU level; national risk assessment at the national level for member states; and internal risk assessments for businesses.

Compliance with the NIS2 Directive may require businesses to:

• Consider vulnerabilities for each supplier, including their cybersecurity practices.
• Conduct risk assessments of critical supply chains as outlined in Article 22(1), and – more importantly - take the results into account; financial penalties can result if member states/businesses fail to do this.
• Establish and update a list of essential operators and ensure they comply with the directive’s requirements.
• Understand national cybersecurity strategies.
• Understand the scope of the EU’s CSIRT network, which can monitor internet-enabled assets.
• Pay attention to the directive’s emphasis on data storage and processing software providers, cybersecurity management, and software editors.
• Identify risks and implement appropriate mitigation measures.
• Have a clear process for reporting incidents – and doing so in a timely manner
• Collaborate with suppliers to identify and mitigate cybersecurity risks.
• Set expectations for supply chain security with suppliers and conduct regular audits for compliance.

The UK

The UK places significant emphasis on cybersecurity, especially in supply chains. The National Cyber Security Centre has created a Cyber Assessment Framework that outlines cyber threat mitigation strategies. Principle 8 of the framework’s Cloud Security Guidance specifically refers to supply chain security best practices and cloud services, which are especially vulnerable to attacks.

The advice here suggests that businesses understand:

• How their data is shared with and used by vendors
• Whether customer data is part of this
• How the vendor’s hardware and software have appropriate security measures
• How to assess a supplier’s risk
• How to enforce security compliance with vendors

To ensure the above, the government guidance suggests several implementation approaches when using cloud services, including:

• Understanding separation in cloud services, which may be built on third-party IaaS or PaaS products.
• Data sensitivity should be considered when making risk assessments, especially when using third-party services.
• Looking at how third-party services describe the data-sharing relationship and ensuring it complies with the GDPR.

Best practice tips to prevent supply chain attacks

While it’s not possible to eliminate supply chain security threats, there are ways to mitigate the risks, especially by paying attention to vendors. It can be helpful for organizations to:

1. Regularly conduct and monitor supply chain risk assessments for third-party vendors.
2. Identify and mitigate any third-party data breaches or leaks that could result in supply chain attacks.
3. Outline a risk profile for each supplier, then group suppliers by the level/type of threat.
4. Rank vendors by vulnerability, access to data, and impact on the business.
5. Assess supply chain management with surveys and site visits.
6. Identify vulnerabilities within a vendor’s systems and ask for improvements.
7. Assess the security of the products and services the vendors supply.

Using trustworthy security and antivirus programs, such as Kaspersky Hybrid Cloud Security, should also form part of a first line of defence for supply chains.

Related Articles:

• What is data theft and how to prevent it
• How to prevent cyber attacks
• How to protect your personal online privacy

Related Products:

• Kaspersky Hybrid Cloud Security
• Kaspersky Next
• Kaspersky Managed Detection and Response