In their joint report, Cyber Threat to UK Business Industry 2017-2018, the NCSC and NSA said supply chain compromises of managed service providers and legitimate software, such as MeDoc and CCleaner, had provided cybercriminals with a potential stepping-stone into the networks of thousands of clients.
It said criminals were increasingly “capitalising on the gateways provided by privileged accesses and client/supplier relationships,” and that “attackers will target the most vulnerable part of a supply chain to reach their intended victim.”
“It is clear that even if an organisation has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain,” it said.
Supply chains account for roughly 80 percent of all cyberattacks, according to the SANS institute.
Ben Ludford, a consultant at global procurement consultancy Efficio, told Supply Management that in the past, hackers had focused on companies that were rich in data and IP but the rise of ransomware meant every computer was now a possible target. He said recent high profile cases, such as WannaCry, which affected 230,000 computers worldwide, highlighted the importance of CPOs taking the appropriate measures to protect their companies and supply chains.
Ludford gave the following six key steps for CPOs to prevent cyberattacks on their supply chains.
1. Conduct a cyber risk assessment of your supply chain
“Think the unthinkable. What if all your suppliers’ IT systems and channels of communication failed? What if the supplier managing customer data suffered a breach? Asking questions will help you understand the potential risks and how they could impact on your organisation. Based on this assessment you can prioritise your actions.”
