Supply chain attacks have been a growing concern in recent years. These are attacks on companies that provide goods and services to others, meaning an attack on them can have far-reaching consequences.
For example, the ransomware attack on Colonial Pipeline in 2021 impacted consumers and businesses across the east coast for well over a week. The pipeline supplies vital petroleum products, and with it out of operation gas prices went up and gas stations began running out of fuel.
Another type of supply chain breach can happen when information you entrust to a 3rd party vendor is compromised in a breach. Your business may not have had a security breach, but information you are responsible for is exposed and you still pay the consequences, including lost business and compliance penalties.
This is exactly what happened in the case of Singapore Airlines. The airline itself was not attacked directly, however, the personal data of over 580,000 of its frequent flyer members was exposed when a supply chain vendor providing passenger services was attacked and had that data stolen.
A third type of supply chain attack can actually cause your own network to be breached. This would be an attack on a software provider that you use. A recent case of this would be Kaseya, a developer of software used by IT businesses to remotely connect to client systems. The company had its software infected with malware, which then spread to the IT companies using its software and their customers. Approximately 1,500 businesses were breached from one attack.
Cybersecurity protection leader Acronis warns that approximately 53% of organizations have exposure to supply chain attacks and not enough safeguards in place.
Supply chain attacks have become more prevalent, which makes it a critical area of your security to address this year. In just the first quarter of 2021, supply chain attack volume increased by 42%.
What Can You Do to Protect Against Supply Chain Attacks?
While you can’t control whether a supplier or software provider you use has a breach, you can work to mitigate your risk. Here are some tips.
Perform Annual Penetration Testing
It’s important to ensure your own IT security measures are up to date and strong enough to protect your business in the case of a ransomware attack or malicious code hidden in software.
Performing annual penetration testing provides you with the information you need to reduce your risk. In penetration testing, experts will try to infiltrate your company network, as if they were hackers. But their goal is to tell you where criminals could potentially get into so you can address vulnerabilities before it’s too late.
Review the Security of All Suppliers & Software Vendors
You shouldn’t be in the dark about the security of your suppliers. This goes both for goods and services suppliers, as well as digital vendors (like VoIP and SaaS tools). It’s especially important to review the security of any vendor that you entrust with sensitive information because a breach of their systems could mean a costly data leak for you.
How do you know what to look for? Contact your friends at Two River Computer. We can help you sort through the security information of your vendors to identify any risk areas.
Document Areas of Risk in Your Supply Chain
After you’ve reviewed the security of your vendors, document areas of risk in your supply chain. This will give you actionable items to address when upgrading your IT security protections.
You want to ask the questions:
- What would happen to our business if this supplier was closed for a week or more?
- What would happen if this supplier suffered a ransomware attack? Is our data at risk?
- Do we have an alternate vendor for this good or service should the current one go down?
From there you can begin to develop a strategy for business continuity that includes building resiliency and safeguards into your vendor and supplier relationships.
Create Minimum Standards for Evaluating Suppliers & Vendors
While you’re going through your supply chain risk assessment, you should also put minimum standards in place by which you can evaluate future vendors. This will save you time in the future and help ensure that you avoid any vendors with poor cybersecurity hygiene.
A good place to start is with data privacy compliance regulations. For example, a minimum standard for you might be if the provider is GDPR or HIPAA compliant. We can help you determine the relevant compliance standards for your industry.
Improve Your Cybersecurity Posture with Proactive Support
Two River Computer can help your Fair Haven business reduce your risk by automating your device and network protection and monitoring.
Contact us today for a free consultation. Call 732-747-0020 or reach us online.