Fish tanks, thermostats and third-party breaches – Why securing your supply chain should be a top priority

The world is more connected than ever before, with organisations being able to scale at speed and provide customer experiences in ways that we never thought possible – all thanks to technology.

A more seamless and integrated world of opportunities has opened up for organisations as a result of this hyperconnectivity that transcends borders. However, it’s important to remember that technology is a double-edged sword; for every force there is an equal opposite and new opportunities may also create new threats which need to be managed.

Over the last few years, supply chain vulnerabilities have emerged as one of the major weaknesses for an organisation’s security, providing an unintended back door for cyber criminals into unsuspecting businesses. In fact, analyst house, Forrester, recently predicted that in 2022, 60% of security incidents would involve third parties. 

Whatever industry you are in, you cannot effectively protect your company or your customers if you do not think holistically about your supply chain as part of your overall approach to cyber security.

You are only as secure as your weakest link

As businesses become more connected, dependency is increasing on suppliers to conduct business operations. For example, healthcare institutions are able to manage patient data more effectively by connecting through smart technology; retailers rely more heavily than ever on external suppliers for the delivery of goods to customers upon order; across industries, companies are managing staff shortages and talent acquisition by employing external contractors.

Given the rise in dependency on the supply chain and anything as a service, it’s not surprising that the trend of one attack to many victims is a theme that is set to accelerate. While cyber security may be top of mind for many businesses, it’s important to remember that you are only as strong as your most vulnerable supplier and that that supplier could be one of your biggest, or indeed your smallest.

We have witnessed an increase in sophistication of supply chain attacks such as the high-profile SolarWinds breach which affected many Fortune 500 companies and multiple agencies in the US government; subsequently, there was the ransomware attack against Kaseya, an IT management software tool, which disrupted operations for many managed service providers and their customers with an estimated 1,500 downstream businesses affected.

More recently, we saw the Colonial Pipeline attack that took down the largest fuel pipeline in the US using a compromised password and, at the end of 2021, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the Internet which impacted upwards of 3 billion devices across a variety of consumer and enterprise services, websites, and applications.

Furthermore, the threat today is not only contained to traditional IT environments anymore; a new set of challenges have emerged with the convergence of IT, IoT, and OT environments – creating enormous opportunities for hackers – especially because the security risk from these connected ‘things’ can sometimes be overlooked.

That was the lessoned learnt a few years ago from the operators of a North American casino where attackers used a fish-tank thermometer to get a foothold in the casino’s network to access their high-roller database, pull it back across the network, out the thermostat, and then up to the cloud!

These incidents show us just how much the security landscape has changed and serve as a reminder for businesses that every sector is vulnerable to cyber criminals; nothing is off limits anymore when it comes to cyber crime – with wide-reaching consequences for both the targeted business, their supply chain, and their customers.

The evolving threat landscape requires an integrated approach  

Securing your supply chain can seem complicated but it is manageable. What it requires is its integration into your overall risk management strategy and business operations, and a mindset that recognises that the security of your supply chain is just as important as your own. Taking a proactive approach, having a plan, and understanding what is on the other side of the hill with third-party threats is important.

Viewing cyber security as a crucial element that extends into every aspect of your company’s workflow will enable you to take the most effective steps to access, secure, and monitor your supply chain – putting you back in the driving seat.

In his next blog, ITC Cyber Advisor, Neil Lappage will share key considerations to bear in mind and recommended steps to take when it comes to securing your supply chain.