What are supply chain attacks?
Whether our main activity is the provision of services or industrial, cyber-attacks derived from our suppliers are becoming increasingly common. Since 2021 there has been a 300% increase in this type of cyber-attacks and, in fact, it is predicted that by 2025, 45% of the attacks suffered by companies, will be from cyber-attacks on their suppliers.
How are these types of attacks carried out?
As we have been explaining, cybercriminals use different methods to attack companies of all sectors, sizes and activities. Once they get information, especially related to customers of that company, they try to expand their reach and attack those customers as well. Especially if it is about other companies or entities that may be of interest to them.
Depending on the service or product being provided by our Supplier, cyber-attacks derived from the supply chain can affect us in the following ways:
- If we use technologies or services shared with our Supplier: The attack in this case would be almost immediate by computer and we would be affected at the same time as our supplier, simply because the systems are interconnected. Example: A cyber-attack suffered by Microsoft that affects our corporate email or also a cyber-attack to an external collaborator, who accesses our platforms to provide their services or give us remote technical maintenance support in case we are an industrial company.
- If they attack our Supplier operationally: This may cause cuts in basic supplies essential to our activity (electricity, water, gas, electricity and telecommunications).
- By means of fraudulent communications impersonating the identity of the trusted provider: These communications, as we have explained on other occasions, can be received by email, phone call or short messages (e.g. SMS, Whatsapp, TEAMS, Skype, Social Networks or any other chat platforms).
How can we detect and deal with them in our company or organization?
Applying a Zero Trust culture:
- At the company or entity level (public or private), to choose our suppliers, providers and suppliers of services, products and technologies appropriately. It is important that they have the same level of commitment to safety as that required internally in our organization.
- At the level of basic supplies, we must assess whether it is necessary to have more than one supplier or alternative or backup systems (for example, a UPS – electricity generator), especially in those activities that cannot be paralyzed by a power outage. Example: Entities that are considered critical infrastructures and provide services to the public (hospitals, airports, water treatment plants, etc.) and any company whose activity, whether industrial or service, cannot be interrupted, since this would cause serious economic and product losses, or a large number of people would be affected.
- At the technical level, it involves using double factors to connect users to systems, setting minimum management privileges to limit the damage that can be caused and monitoring computer systems to detect any anomalies in time. These anomalies can sometimes be detected by the direct users of these systems. As happens when we cannot make use of a technology (mail, application, web, etc.) or in companies with industrial activity with respect to anomalies in the production lines.
- At the User level, be wary of any urgent, demanding or unusual communications and, especially, of those communications that seek to change invoice payment methods. Whenever a Supplier requests a change of account number for future payments, we must omit this communication, contact the sender by other means (mail, telephone or official contact) and request proof of bank ownership.
IMPORTANT NOTE: If even if you comply with all these measures, you encounter situations that do not conform to the required security level or established in internal policies, do not hesitate to communicate it to your direct manager, the CISO Security Manager and the IT department, so that they can advise you appropriately. And although these recommendations are addressed to the company or entity level, we must be aware that also at the individual or domestic level we could become victims of a cyber-attack to our suppliers, therefore and in such a case we must report the incident to the police authority.