Supply Chain Risks
At the weekend we learned of the 4th major breach of August – this time the Met Police – who were targetted via a contractor and suffered a breach leading to officers’ and staffs’ details being hacked.
The contractor has details of names, rank, photos, vetting levels and pay – all highly sensitive personal data that could potentially put people at risk. The damage this could do to the Met and its’ employees is clear but any breach of personal sensitive data will have a negative effect on an organisation.
Many Organisations beef up their own cyber security but then it becomes easier and potentially a lot more rewarding (think widely sold software with vulnerabilities) for cyber criminals to target those in the supply chain and these attacks are on the rise. A major manufacture like an automotive company can have as many as 250 tier-one suppliers and up to 18,000 across the full value chain which amply illustrates the challenges of ensuring that your supply chain isn’t your vulnerability. This is based upon US research but numbers in the UK will still potentially be significant.
NCSC research (Cyber Breaches Survey 2022) found that only 13% of those asked had reviewed their immediate suppliers and only 7% has looked at their wider value chain. To address this they have produced a guide aimed at medium and large organisations but despite that it can be adapted to suit organisations of any size.
According to Blackberry much of modern software is based on open source code which can be easily hacked due to its public availability. Blackberry went on to say “Securing a software supply chain against attacks requires knowing what elements in your system have the potential to be attacked. More than three-quarters (77%) of those Blackberry surveyed said that, in the last 12 months, they discovered previously unknown participants within their software supply chain — entities they had not been monitoring for adherence to critical security standards”.
“This means that malicious lines of code can sit in blind spots for years, ready to be exploited when the attacker chooses”. This should give you pause for thought.
Any SME should give thought to and assess the risk their suppliers and their wide value chain exposes them to. If you don’t have the internal expertise or confidence to do a robust supply chain risks assessment, then the team at Cyber & Data Protection can help you achieve this.