Supply Chain Security Archives - Page 2 of 2

What are the questions business owners ask when considering cyber security?

Another good question, or perhaps it should be, do they ask any questions, other than cost, about cyber security, or do they leave everything up to their IT support, whether contracted or in house?

What is the cost of ignoring cyber security?

Perhaps this is the first question that they should be asking. The financial hit of a data breach can be crippling, especially for the smaller businesses who are perhaps running on tight margins and for whom cash flow is often critical. The average clean up for a smallish business is about £27K. this relates to system restoration, hardware replacement, and the implementation of enhanced security measures. and doesn’t include financial loss from the actual data stolen, or whatever scam was perpetrated, and any fall out from compliance failures, such as fines from the ICO. And at least a third of organisations admit to losing customers post a data breach, highlighting reputational damage and a loss of customer trust.

So, what should owners, managers and board members be asking?

I think many get bogged down in the technicalities of IT and don’t consider it in business terms. They don’t think about the business impact of cyber security, about what it is they’re trying to protect. It’s not your IT systems, it’s your data that is the crown jewels. IT systems can be replaced but once the data is stolen, then you are in very real trouble.

Risk Management

First and foremost, the board members need to ask themselves if they have a good handle on their cyber risk. Have they identified their cyber assets? What is a cyber asset? Cyber assets are not just hardware and software, in fact those are often the least of your worries. It’s the data, where it is and how it’s protected that is important. Have you assessed the risk to those assets? Have you assessed the training requirements for your staff, not just the techies but all staff? Think People, Process and then Technology.

Once you have done this, then you can consider what controls need to be put in place to reduce the risk to an acceptable level.

Below is some of the controls you will need to consider. This list is not exhaustive

1. User Access Control (Admin access is a whole other discussion)

This isn’t just about passwords. Yes, they remain important but on their own, they are no longer sufficient. Nonetheless weak passwords, password re-use and password sharing remain one of the leading root causes of a data breach. 123456 and, believe it or not, password, remains the most used passwords across the world!

It is imperative that you have a strong password policy, dictating not just the length of the password, but also its construction, ensuring that there is a good mix of upper and lower case characters, numbers and symbols, that together make things very difficult for password crackers.

On their own though passwords remain a potential weak spot. Multi factor authentication (MFA), sometimes referred to as 2FA, provides that extra layer of defence and can help to protect against brute-force attacks, phishing scams, key-logging and social engineering. MFA can be simply implemented on most email platforms and within various apps you are using. For those of you trying for Cyber Essentials or ISO 27K series, MFA is mandatory, so make sure it’s put in place.

2. Are you backing up your files?

This seems an obvious thing to do but you’d be surprised how often when trying to restore from a backup, it fails. This is often because the backup routine was set up back in the mists of time and has never been reviewed and even more dangerous, it’s never been tested to see if it works. Set up your backup regime, have it reviewed regularly and tested regularly to make sure it works. If you are backing up online, keep in mind that if a cyber-criminal gets access to your systems to, for example, carry out a ransomware attack, then they can probably get at your back up as well. So, belt and braces, consider having an offline backup as well as an online backup. The latter is more convenient but can be corrupted.

3. Do you train your staff in cyber awareness?

My favourite subject – cyber awareness training. Your first line of defence is your staff, but if not trained adequately, they can be your greatest vulnerability. It’s known in the trade as the insider threat but it is caused mainly by human error, staff members doing something they shouldn’t, not maliciously but simply because they didn’t know they shouldn’t. It actually accounts for 88% of data breaches. Providing your people with training on the threats, current scams and basic cyber awareness reduces the chance of a cyber-attack. This really is the easiest and cheapest quick win any organisation can take in reducing their risk exposure.

4. Do your employees regularly travel or work remotely?

This brings us neatly to what Microsoft coined as the New Normal. Essentially this means remote working shared with in office working, known as the hybrid working model, or for some, moving to a totally remote working system. Totally remote is not as common as hybrid working but is becoming more normal with certain size businesses in certain commercial verticals. It’ll never work for everyone, but for those who have embraced it, it saves a considerable amount of expense. It does however require us to rethink our cyber strategy.

Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network. Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.

Phishing becomes an even greater threat to home workers, often because, in an office environment, they have access to colleagues and managers, who they can approach for advice and guidance. This is much harder to replicate with remote workers, especially those who may not be particularly tech savvy and who may not wish to become ‘burdensome’ to their co-workers.

Ransomware also enjoys an advantage in the work-from-home model. If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities. And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving IT support will be rewarded, it can still be an uphill battle.

We need to break out of the old ‘bastion’ security model of a network protected by firewalls and other technologies and think about solutions that are designed to protect your assets regardless of where your employees work from. They exist and aren’t hard to find.

Data tends to proliferate, especially when working remotely. Cyber awareness training helps here, but it also helps for management to have a handle on data storage. All organisations have this problem, but it becomes more acute for those businesses that hold large amounts of what is known as Personal Identifiable Information or PII. This is information that can identify a living individual and compromise their privacy in some way. Financial advisors, estate agents, solicitors etc, all share this issue. The data protection act, becoming referred to as UK GDPR, is not a suggestion, it is law.

5. Where is all your data stored and who has access to it?

One of the biggest issues we find with organisations of all sizes, is that they think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set. This has become a real issue in that the new normal tempts users when working remotely, with possibly less than robust broadband, to copy data from cloud storage to their PC or laptop to ensure they can keep working on it. Then they upload it again when they’ve finished but forget to delete their copy. That’s just one instance but it is vital to understand where all this data is. What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why. I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person. But under the law, they had no choice but to bite the bullet.

There are several systems on the market which will help with this but what most need now is a system that works regardless of the location of the user and continues providing that cover when the user moves from one location to another. This is just a suggestion, but we’d be delighted to demo it to anyone who is interested. https://hah2.co.uk/gdpr-data-protection/

6. Disaster Recovery and Business Continuity

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This could include natural disasters, cyber-attacks, power outages, or any other event that could disrupt normal business operations. Business Continuity planning typically involves identifying critical business processes, implementing redundant systems and processes, and developing communication plans to ensure that the organisation can continue to operate smoothly in the face of adversity.

Disaster Recovery, on the other hand, is focused specifically on restoring IT infrastructure and data after a disaster has occurred. This could involve recovering lost data, restoring systems and networks, and ensuring that IT operations can resume as quickly as possible. Disaster Recovery planning typically involves creating backup systems, implementing data recovery procedures, and testing these plans regularly to ensure they are effective. Both are critical components of a comprehensive risk management strategy and should be integrated into an organization’s overall resilience planning efforts.

Just like backups, which are a crucial part of Disaster Recovery, these plans can become very quickly out of date and useless, unless reviewed periodically and tested to see if they actually work.

7. Vulnerabilities and Threats

A vulnerability is a flaw or weakness in an asset’s design, implementation, or operation and management that could be exploited by a threat. A threat is a potential for a threat agent to exploit a vulnerability. A simple way to explain this is that a vulnerability is the inability to resist a hazard or to respond when a disaster has occurred. For instance, people who live on plains are more vulnerable to floods than people who live higher up. The threat is the flood itself.

IT risks and vulnerabilities are the potential threats and weaknesses that can affect the performance, security and reliability of your business function and processes. They can have serious consequences for your business goals, customer satisfaction, and competitive advantage.

Identifying vulnerabilities to your cyber security assets and then identifying the threat to those assets in terms of the vulnerability being exploited, informs your risk and enables you to assign a value to it. Financial value can be assigned to the risk score if you so wish. You then apply controls to bring the risk down to an acceptable level, starting with the Very High risks, and then bringing them down to whatever is acceptable to you. That acceptable level, known as the risk appetite, will vary business to business, risk to risk.

8. Supply Chain Security?

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

An example of such an attack was published by NCSC and points out that many modern businesses outsource their data to third party companies which aggregate, store, process, and broker the information, sometimes on behalf of clients in direct competition with one another.

Such sensitive data is not necessarily just about customers, but could also cover business structure, financial health, strategy, and exposure to risk. In the past, firms dealing with high profile mergers and acquisitions have been targeted. In September 2013, several networks belonging to large data aggregators were reported as having been compromised.

A small botnet was observed exfiltrating information from the internal systems of numerous data stores, through an encrypted channel, to a botnet controller on the public Internet. The highest profile victim was a data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing, and supply chain management. While the attackers may have been after consumer and business data, fraud experts suggested that information on consumer and business habits and practices was the most valuable.

The victim was a credit bureau for numerous businesses, providing “knowledge-based authentication” for financial transaction requests. This supply chain compromise enabled attackers to access valuable information stored via a third party and potentially commit large scale fraud.

NCSC also cited what is known as a watering hole attack, which works by identifying a website that’s frequented by users within a targeted organisation, or even an entire sector, such as defence, government, or healthcare. That website is then compromised to enable the distribution of malware.

The attacker identifies weaknesses in the main target’s cyber security, then manipulates the watering hole site to deliver malware that will exploit these weaknesses.

The malware may be delivered and installed without the target realising (called a ‘drive by’ attack) but given the trust the target is likely to have in the watering hole site, it can also be a file that a user will consciously download without realising what it really contains. Typically, the malware will be a Remote Access Trojan (RAT), enabling the attacker to gain remote access to the target’s system.

If you are in someones supply chain, then you need to make doubly sure that your security protects your customer as well as yourself. And conversely, if you are connected electronically to someone who supplies you, are you sure that you are protected from any vulnerability they may have.

Another Tilt at AI

At the risk of boring you about the risks inherent in AI, I’m going to have another go, simply because it’s a fascinating subject. AI can really become the gift that keeps on giving. We’ve always played catch up to the cyber criminals, trying and often failing to anticipate what the next attack will be, what the next series of attacks will be. Will it be ransomware, denial of service or perhaps a new and more sophisticated scam? Who knows? But there is no doubt that AI is raising the bar.

I have talked a lot about the re-emergence of the script kiddie and how AI in enabling this particular breed of wannabe criminals. But it’s also true that the more skilled and sophisticated criminal is making use of AI and finding new and innovative ways of relieving you of your hard earned cash.

There is a lot going around within the IT and cyber industry about the ethical usage of AI, its ethical development, and that IT system integrators have a cast of thousands working on such ethical development and usage. Fine, I applaud them. But what does that mean for cyber security, and indeed data protection? Well, I have to say, in my humble opinion, not a great deal. I say that simple because no matter how ethical we are, the criminal doesn’t give a damn, he or she will continue on their own sweet way and do what criminals have always done, which is to completely disregard ethics. So, whilst we can applaud and support those companies who are producing software and systems which use AI ethically, for the good, but just like old times, the criminals will do their own thing.

So, let’s take a look at some of what is at risk in terms of our data and systems:

Data Protection. AI systems tend to be extremely good at analysing, organising, and harvesting vast amounts of data, raising concerns about privacy breaches and unauthorized access to sensitive information. A good AI powered attack could capture huge amounts of personally identifiable information (PII), in a ridiculously short amount of time.

Data Integrity. In the good old days (please indulge me – I’ve been around a long time), we used to talk about CIA, no, not the infamous US intelligence agency, but Confidentiality, Integrity, and Availability. We now have something we call the Adversarial Attack. This is where attackers can manipulate AI algorithms by feeding them misleading data, causing them to make incorrect predictions or classifications, in turn destroying the integrity of your data, not just rendering it useless, but dangerous.

Model Vulnerabilities. This next one is relatively new, at least to me, and as I never tire of saying, I’ve been this game as long as there’s been a game. It’s something call Model Vulnerabilities. AI models can be vulnerable to exploitation, such as through model inversion attacks or model extraction, where attackers can reverse-engineer proprietary models. So, if you’re in the dev game, this is a very real nightmare.

Bias and Fairness. AI systems may inherit biases from training data, leading to unfair or discriminatory outcomes, which can have legal, ethical, and reputational implications. This could be used as another form of extortion, playing with the integrity of your data, to the point where you can no longer trust it.

Malicious Actors. These can compromise AI systems at various stages of development, deployment, or maintenance, posing risks to organisations relying on these systems. This has a play in supply chain security.

Attackers can leverage AI techniques to enhance the effectiveness of cyberattacks, such as automated spear-phishing, credential stuffing, or malware detection evasion.

Addressing these risks requires a multi-faceted approach, including robust security measures, thorough testing, ongoing monitoring, and regular updates to mitigate emerging threats.

The real danger is complacency. AI isn’t a future hypothetical threat but is very real and here now, already making itself felt, for both good and bad.

Supply Chain Security, Spear Phishing and Remote Working

Reports on Cyber trends abound, and you could be forgiven for thinking that they are often produced by organisations trying to sell you something. And I might be tempted to agree. Am I any different, well I’ll leave you to judge but I do think that it is very important to educate, and not just sell, into the SME market. I’ve said many time times before, that the SME market has been badly served by the Cyber security industry, in that it tends to get ignored. However, that doesn’t mean that they are any less at risk, or any less important to the UK economy. Quite the reverse. I do read several reports about cyber trends, and if I think they are of use, then I do pass them on via this newsletter. I have read one recently which I think is worth passing on. It highlights 3 different scenarios, all of which I have blogged about in the past. They are, in no particular order, supply chain attacks, spear phishing and attacks against hybrid workers. These are clearly not exhaustive, but they are relevant to SMEs.

An often forgotten element of Cyber security lies within a company’s supply chain. Manufacturers for instance, often use what is known as ‘just in time supply’, i.e., they have an electronic connection to their key suppliers who are connected to the company’s inventory, and automatically resupply when an item runs low. It’s efficient and prevents the holding of unnecessary stock. But it can, if not done correctly, drive a coach and horses through your security.

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

Small to medium enterprises are at greatest risk from cyber security threats, and their vulnerability in turn poses a danger to the major corporations that they do business with. Why, well the problem with small to medium sized enterprises is that they are in the unique position of having disproportionate access to important information. They are often mission critical suppliers that produce niche products, and they generally have the weakest cybersecurity arrangements in terms of size, resources, and expertise. They open up large clients to leapfrog cyber security attacks.

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation, or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Spear phishing is a more targeted cyber-attack than phishing. Emails are personalized to the intended victim. For example, the attacker may identify with a cause, impersonate someone the recipient knows, or use other social engineering techniques to gain the victim’s trust. In other words, this is what might be referred to more as a scam than a cyber-attack, but it is no less illegal.

The common characteristics of spear phishing emails are not unlike traditional phishing scams:

The email uses email spoofing to masquerade as a trusted person or domain. …
Social engineering is employed to create a sense of urgency to exploit the victim’s desire to be helpful to a friend or colleague.

Hybrid working has been the subject of several of my blogs and newsletters of late. We are all now seeing the ‘new normal’ and are embracing it to some extent. There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are planning to adopt a hybrid model. In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.

As organisations of all sizes begin the decision making process which allows them to seriously consider the recalibration of their operating model to adapt to the new normal, then there is a real need to re-evaluate their cyber security stance, involving policies, processes, people training and technical defences.

Cyber criminals have used this shift in working patterns to their advantage and their attacks have increased hugely, across the globe. Working from home has increased the footprint of IT operations whilst weakening its defences and the scope for cyber criminals to develop new attack methods, new scams, and to generally increase their revenue, exponentially.

Cyber-attacks and data breaches tend to only hit the headlines when it’s a large company involved. However, SMEs are hit every day, but for somewhat smaller sums of money and there is an argument that often these attacks go unreported to protect reputations and even go undiscovered for long periods of time. Data breaches do get reported because of the requirement to make such a report to the Information Commissioners Office, but even then, actions taken by the ICO often fly under the radar. For instance, this year alone there have been over 40 fines by the ICO, many to companies categorised as SME. A finance company was fined £48k and a solicitor was fined £98k. You can research all of this on google if you want confirmation.

Supply Chain Threats and Vulnerabilities

Supply chain attacks, what are they and why do they matter to an SME? Lots of larger company’s rely on smaller ones to provide key components that they require in their manufacturing or other processes. That supply chain is critical their operations and is therefore required to be robust and secure. An attacker is constantly looking for weak links in cyber defences, that can be exploited for financial gain. They will look at an SME as such a weak link, expecting the SME to have a lower understanding of the threat, and lower expenditure on defence. They will be looking to piggy back on loopholes in the suppliers defences, to attack their main target.

Manufacturers often use what is known as ‘just in time supply’, ie they have an electronic connection to their key suppliers who are connected up to the company’s inventory, and automatically resupply when an item runs low. It’s efficient and prevents the holding of unnecessary stock. But it can, if not done correctly, drive a coach and horses through your security.

Cybersecurity, IT governance, and data security will be the number one risks in 2023. Ransomware has been a significant threat in 2022, but the nature of cyberattacks is constantly evolving.

The goal of such attacks is to grab whatever the target has that is of value to the attacker, so it can include infecting legitimate applications in order to distribute malware, access IPR (designs, plans, source code, build processes etc etc), or inventory theft, inserting false invoicing into your system etc. In fact, if you can think of something that might damage your company, you can bet that the cyber criminals have already thought of it.

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

The attacker identifies weaknesses in the main target’s cyber security, then manipulates the watering hole site to deliver malware that will exploit these weaknesses.

Steven A. Melnyk, Professor of Supply Chain Management at Michigan State University said, “The problem with small to medium sized enterprises is that they are in the unique position of having disproportionate access to important information. They are often mission critical suppliers that produce niche products. They are protected by governmental regulations and requirements. However, they generally have the weakest cybersecurity arrangements in terms of size, resources, and expertise. They open up large clients to leapfrog cyber security attacks.”

Melnyk cited the example of a well-respected American chemical company that was hacked through its supply chain. The hackers obtained information about customers and orders, including quotes. They saw details of items that the company – which was renowned for innovation – was getting ready to patent, he revealed. “The hackers altered the master production schedule; they changed due dates, order quantities and order quality levels. Deliveries were compromised. A new supplier then entered the market, with the precise items that the customers wanted, at prices under the current variable costs. This supplier also patented the firm’s innovations.”

The growth of the digital economy and digital supply chain is contributing to the growing cyber security threat, with four billion people predicted to be connected to the Internet daily in 2020. In 2021 it is estimated that so far, attacks of this nature have increased globally, by around 42%.

There are of course things that you can do to protect yourself and your clients. There are several technical defences that you can implement. The problem generally remains that SMEs have a tight budget and no internal resource to combat this issue.

The first thing cyberattackers do after breaching a defence is move laterally throughout the ecosystem in search of privileged accounts. This is because privileged accounts are the only accounts that can access sensitive resources. When a privileged account is found, sensitive data access is attempted. This predictable attack sequence is known as the Privileged Pathway – it’s the common attack trajectory followed by most cybercriminals. The trick is to disrupt an attacker’s progression along this pathway so that breach attempts, and therefore supply chain attacks, can be prevented.

An effective Privileged Access Management (PAM) framework will disrupt this common attack trajectory and is highly recommended.

That said, I have always been a great advocate that the biggest ‘quick win’ any company can achieve, at minimum cost, is staff awareness. Staff are the primary gateways to malicious code injections because they’re usually tricked into permitting cybercriminals access into an ecosystem.

The most common form of trickery is scam emails (or phishing attacks), which I have discussed in previous posts. These emails seem like they’re sent from trustworthy colleagues but upon interacting with them, malicious codes are activated, and internal login details are stolen, which in turn could grant criminals access to a system, initiating the hunt for higher privileged accounts.

To prevent such incidents, all staff need to be educated about common cyberattack methods so that they can identify and report breach attempts, rather than falling victim to them.

There is so much more to this subject, and it is a matter for each company to assess how much of a problem they think this is to them. Understanding the threats to the business, how vulnerable you are to those threats, and therefore what risks you are taking, and how severe they are, is key to every element of Cyber Security. SMEs remain vulnerable because they rarely have any in house resource to understand those risks and take the right actions to mitigate those risks.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Supply Chain Security