The National Cyber Security Centre (NCSC), part of GCHQ has issued new guidance to help businesses manage the cyber security of supply chains.
Authorities are taking the threat so seriously, they have made the prevention a priority. We all should make it a priority too.
Only 13% of businesses actively review risks presented by suppliers. That’s a tiny number for what is a huge and complex web of suppliers and consumers in the UK.
That number is nowhere near high enough.
What is a supply chain cyber attack?
A supply chain cyber attack is where a hacker gains access to a system owned by a supplier and uses it to access your network.
It may seem a little convoluted but it’s a way for hackers to access potential blind spots within enterprise networks.
The now infamous SolarWinds attack attributed to Russia is an example of a supply chain cyber attack
SolarWinds were infiltrated via a supplier system linked to the SolarWinds network. As the supplier didn’t have anything like the security SolarWinds had, they were an easy target.
The hackers then managed to load a backdoor into SolarWinds, thus providing access to anyone using their products.
It was an incredibly sophisticated attack that took the world by surprise.
Its success has spawned many hundreds of copycats, which is why we, and NCSC, want you to be aware of the threat.
New NCSC guidance for supply chain attacks
Ian McCormack, NCSC Deputy Director for Government Cyber Resilience, said:
“Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers.
“With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
“Our new guidance will help organisations put this into practice so they can assess their supply chain’s security and gain confidence that they are working with suppliers securely.”
There’s a lot to unpack in the revised NCSC guidance, but in essence it covers:
Understanding the threat
Recognising that suppliers can offer an easy target that can be leveraged to infiltrate more sophisticated networks.
That means checking with suppliers to assess their security, mitigating any identified risks and securing your systems against outside access from suppliers.
Mitigating the threat
Mitigating the threat has a range of topics, including:
- Prioritising your own system security
- Creating restricted profiles for suppliers
- Determining the cyber security requirements for suppliers
- Managing compliance and monitoring performance
- Contract clauses for suppliers and their obligations
- Educating internal staff and external suppliers of threats
- Embedding controls throughout the entire process
- Regular reporting of the situation at board level
We won’t repeat the whole guidance verbatim, but it’s here if you want to read it.
Protecting your business from attack
There are a number of practical measures you can take to protect your business aside from what the NCSC suggests.
They include:
Using cloud computing wherever possible
The cloud won’t insulate you from hacking and malware completely, but it provides a robust platform that’s secure and that can be instantly recovered from backups should anything happen.
You can use the cloud for email, data storage and even Windows desktops.
Backups for everything
Not all cyber attacks want to harvest data or hold you to ransom. Some just want to disrupt operations. Every business needs to be protected.
Having current backups for all critical data is the best way to protect your systems. Daily backups and even constant incremental backups mean very little producitivty is lost should the worst happen.
Managed services
Working with experienced providers for essential services is also key. They will have the security solutions, policies, procedures and experience to mitigate all but the worst attacks.
They will also have the manpower and skills to help you recover should the worst happen.
Zero trust methodology for suppliers
Using the principle of zero trust or least privileged for suppliers is a key way not becoming the next SolarWinds.
Grant enough privileges for a supplier to perform their work but no more, and monitor everything they do.
It may sound harsh, but it’s your network and your data so protect it at all costs.
The rise in supply chain cyber attacks isn’t good news, but there is a silver lining to every cloud. If you partner with a reliable service provider and follow our and the NCSC’s guidance, you can prevent all but the most sophisticated attacks.
Contact one of our team today for expert cyber security protection!