Supply chain issues frequently hit the headlines, from KFC and Nando’s running out of chicken to the entire country struggling to obtain tomatoes and peppers. While these stories may seem trivial, they often represent just the tip of the iceberg. Numerous sectors, including car manufacturers, building merchants, the NHS, and food producers, have faced supply chain challenges in recent years.
The reasons for these disruptions, whether due to Brexit, COVID, increasing demand, weather conditions in Spain, the war in Ukraine, staffing shortages, or a combination of factors, are up for debate. However, whatever the cause, these events clearly illustrate the significant impact supply chain disruptions can have on the economy and businesses, as well as on individuals.
While the focus of these headlines tends to be on physical supply chains, such as the threat of empty supermarket shelves and rising prices, organisations also rely heavily on digital supply chains. Most businesses today depend on digital products and software suppliers for their daily operations. If this digital supply chain is disrupted for any reason, the negative consequences can ripple through to organisations and ultimately affect consumers.
There are numerous examples of digital supply chain disruptions over the years. For instance, a bug in the Content Delivery Network (CDN) provider Fastly brought down major sites like Amazon and the BBC. Similarly, a corrupted update from CrowdStrike led to a widespread outage affecting millions of Windows machines, impacting banks, airlines, medical services, and transportation, among others.
To mitigate such disruptions, companies naturally want to have contingency plans in place. However, technology issues are not the only concern organisations should address when assessing their digital supply chain; security is equally critical. Digital supply chains are often attractive targets for malicious threats and can serve as an effective entry point for attackers, especially if they target smaller, less secure companies within the supply chain instead of attempting to breach a well-protected organisation directly.
A notable example is the 2013 breach of US retailer Target, where attackers accessed the retailer’s point-of-sale (POS) systems, compromising 40 million payment card credentials and 70 million customer records. Interestingly, the initial attack did not directly target Target; instead, it exploited a supplier of heating, ventilation, and air conditioning systems that used Target’s vendor portal to monitor the stores. Through this portal, the attackers were able to infiltrate Target’s network and ultimately access its POS systems.
Another example is the British Airways breach, which affected around 400,000 customers and was also initiated through a compromised payment software provider rather than the airline itself.
One of the most intriguing cases of a digital supply chain attack was the SolarWinds breach. This incident was not merely about stealing credit card information; it was a sophisticated, potentially state-sponsored attack that compromised SolarWinds software to access and spy on high-profile customers, including US government agencies and Fortune 500 companies.
Whether the threat originates from criminal enterprises, nation-state operations, or hacktivists, these examples clearly highlight the potential consequences of digital supply chain attacks. Even if you believe you are not a target, someone within your supply chain just might be. Therefore, security throughout the digital supply chain should be a shared responsibility.
But how can organisations enhance the security of their digital supply chains?
Get your own security in order
Improving supply chain security should begin within your organisation. It’s essential to ensure that supply chain attacks do not compromise your business operations, sensitive data, or endanger your partners within the supply chain.
Implementing simple measures can have a significant impact. Strategies such as network segregation, establishing robust privilege levels, and utilising monitoring tools can help detect potential breaches, restrict access to sensitive information, and minimise the risk of a malicious threat moving from a compromised network to your primary company networks.
Every organisation faces unique challenges, which is why security measures should be customised based on the specific risks encountered. Conducting scenario and risk analysis planning can be beneficial in uncovering potential risks associated with supply chain attacks, allowing for effective measures to be implemented against the most likely scenarios.
This improvement effort is not only advantageous from a security perspective but also beneficial for your business. With GDPR compliance and the risk of significant fines, organisations are increasingly prioritising security. Additionally, both customers within the supply chain and those outside it are now demanding strong security guarantees before choosing to engage with a company. By establishing solid security practices and being able to provide evidence of security testing or compliance, you can simplify the process of securing business opportunities.
Seek security assurances from your suppliers
Just as customers will be seeking security assurances from you, it’s essential to ask your suppliers for the same. Have they undergone an independent security audit? Do they provide evidence of infrastructure and application security testing? Are they striving for ISO 27001 standards or already certified? Does the company hold Cyber Essentials certification?
The specific assurances you need will depend on the nature of the relationship, the information and services being procured, and the associated risks. Some relationships may require only minimal security assurance, while others may necessitate rigorous standards. It is the responsibility of each company to define the level of security they expect from their suppliers and to ensure those standards are met before entering into any agreements.
Originally published in Computing Security Magazine
