In the digital age, long and complex supply chains have become the norm for many businesses. From large corporations to small to medium enterprises (SMEs), plenty of businesses now engage in supply chains that often encompass a long list of collaborators and suppliers. While this connectivity has undoubtedly benefited international commerce, it’s not without its downsides. 

Regardless of their size or industry, many supply chains are rife with cybersecurity threats. From phishing campaigns and identity theft to email-based impersonation attacks, threats can have costly, often catastrophic effects on targeted businesses. While cyber supply-chain risk management has always been a key concern amongst cybersecurity experts, its importance has only grown during the COVID-19 pandemic. According to a survey conducted by Deloitte, 40% of respondents report having been subject to a cyber incident in the last 12 months. As the pandemic continues indefinitely, it’s likely that these figures will only rise.

Devastating Effects

Given that high volumes of money and sensitive information are transmitted along supply chains, it’s no surprise that supply-chain breaches can have devastating effects. Unpredictability is a key feature of supply-chain attacks, with businesses having no way of knowing either when an attack may emerge and who it may come from.

Crucially, supply-chain cybersecurity threats don’t just come from garden variety cybercriminals: They can also come from larger, established entities including government agencies. In a high profile case in the second half of 2019, the infamous Chinese cyber espionage group APT10 acted on behalf of the Chinese Ministry of State Security to launch a malicious cyberattack targeting sensitive commercial data in other parts of Asia, Europe, and the United States. Against this backdrop, constant vigilance and adequate cybersecurity measures are the best first line of defense. 

Best Practices in Cyber Risk Management

Although the threat of supply-chain attacks is understandably daunting, there are a number of steps that businesses can take to mitigate risk and protect themselves. Measures for internet security for businesses should span the entire supply chain, and should be regularly evaluated and refined to ensure ongoing efficacy.

At a basic level, these measures should include:

• Ensuring that remote administration interfaces used by service providers are protected by a secure network and the relevant login credentials.
• Establishing measurable quality standards that suppliers must demonstrate compliance with. These may include mandating a minimum level of cybersecurity measures on the part of the suppliers themselves.
• Segmenting and segregating business networks to ensure that only the relevant parties are privy to sensitive information.
• Ensuring that remote interfaces and security credentials used by service providers are fully revoked at the end of the supplier-business contract.
• Carefully vetting all hardware and software before admitting it into the broader business network. Once added to the network, both should be subject to ongoing monitoring for potential security risks.
• Ensuring all software is up to date at all times.
• Implementing multi-factor authentication (MFA) across devices and platforms wherever possible.

Multi-Factor Authentication 

Although the above cybersecurity measures can all play a vital role in securing your business against supply-chain attacks, MFA is by far one of the best ways to secure devices throughout the supply chain. By requiring users to provide two or more separate login credentials before gaining access to a file or system, MFA can help provide stronger security. The use of two or more credentials means that unlike regular passwords, MFA credentials cannot be easily shared or used across multiple accounts.

Many platforms and devices now provide an MFA option in the security settings, and typically require credentials comprising two or more of the following:

• Something the user knows, such as a password, PIN, or response to a question or prompt.
• Something the user has, such as a smartcard, physical token, or software certificate.
• Something the user bears, such as a fingerprint or iris pattern.

In all cases, implementing MFA is an inexpensive security add-on that is typically fairly straightforward and easy to implement. As a minimum, all it requires is informing users that additional security measures are in place and prompting them to prepare accordingly. 

Supply-chain attacks can be catastrophic for businesses of all sizes, ranging from smaller mom-and-pop operations to multinational corporations. Taking adequate measures to protect your business from this type of cybersecurity threat, such as implementing MFA, can protect your sensitive information and ensure your supply chain remains secure.

For enhanced protection, consider pairing the above measures with cybersecurity software such as version 3.0 of ESET’s Secure Authentication (ESA). This MFA solution ensures that businesses of all sizes can secure devices on their network, meet relevant compliance requirements, and prevent data breaches.

Kelly Johnson is country manager at ESET Australia, a global cybersecurity provider.