Myst - stock.adobe.com

Most businesses vulnerable to supply chain cyber attacks

UK firms trail the leaders US and Germany in knowing the most about their partners’ cyber security practices, but most companies globally are in the dark about this growing source of vulnerabilities

Seven in 10 businesses may be particularly vulnerable to cyber attacks through their supply chains, according to research commissioned by Accenture.

Just 29% business and IT executives globally know how diligently their partners are working regarding security, with 56% relying on trust alone, according to a survey more than 6,600 large businesses and IT execs in 27 countries, including 372 respondents in the UK.

This is despite the fact that the tactic known as island hopping is steadily increasing, which means cyber attackers are after not only the target network, but all those along its supply chain as well.

Indirect attacks this nature could account for nearly a quarter the total value at risk from cyber crime over the next five years, according to Accenture’s 2019 cost cyber crime report.

The UK is in the middle the pack, meeting the global average 29% who felt that they knew whether their partners were working diligently to be cyber resilient. Front-runners are the US (35%) and Germany (30%), while the laggards are China (11%) and Japan (14%).

According to Accenture, understanding different cultural approaches to partner security is crucial for companies with complex global supply chains, with hackers becoming increasingly adept at exploiting third-parties as a route into Fortune 500 companies, which can have hundreds and even thousands partners each at any given time.

“Business perimeters used to be like a castle, where security teams could create thick walls to guard against attacks. But the days doing business in this medieval way are well and truly over” said Nick Taylor, cyber security lead for Accenture UK.

“Now, business structures resemble something more like the London Underground, with thousands entry points. Threat actors are preying on the weaker links. Smaller businesses, in particular, are seen as a means infiltrating larger organisations.”

Even industries with a more demanding regulatory landscape are struggling to keep track, the data shows, with 57% respondents in the banking industry reporting that they simply place their trust in their partners.

“Organisations must learn to collaborate on security. This doesn’t just mean with other businesses, but also with governments,” said Taylor.

“Some the most devastating attacks we’ve seen in recent years have been state-sponsored, which will take a combined effort to combat.

“And with this type attack on the rise, organisations will surely start to get rid their weakest links. For those who get it right, security could be a real competitive differentiator and a make or break in deals.”

Organisations should take several fundamental steps as a starting point, according to Accenture. These include:

Collaborating with the community: The research data shows that 87% executives recognise that they need to rethink their approach to security to defend not just themselves, but also their ecosystems. Netflix is among those leading the open-source security charge, sharing internally developed security tools with the world since 2014.

Coupling security with corporate strategy: Only 38% businesses report including the chief information security officer when considering new business opportunities. GE, for example, has CISOs assigned to specific regions and business units to help inform decision-making at a more granular level.

Thinking creatively about vulnerabilities: Businesses must learn to think like a hacker when threat modelling. A group of hackers made millions from insider information about publicly traded companies, not by attacking the companies themselves, but by targeting the newswire agencies that get early access to press releases from the world’s largest businesses.  

Continually assessing vulnerabilities: Large enterprises have hundreds, if not thousands, of third-party partners going through various stages of on- and off-boarding. Each has varying levels of network access. Organisations must create a process which allows them to continuously reassess where their vulnerabilities are.

Read more about supply chain security

Next Steps

Codecov breach raises concerns about software supply chain

Twilio discloses breach caused by Codecov supply chain hack

Read more on IT risk management