What due diligence do you undertake when signing up a new supplier, and how often do you review their security status?…:
Less than two years ago, in June 2018, when Ticketmaster UK revealed cybercriminals had stolen data from up to 5 per cent of its global customer base via a supplier, it set alarm bells ringing.
The following month, a CrowdStrike report laid bare how ill-prepared organisations all around the globe were against hackers seeking to exploit third-party cybersecurity weaknesses. Two thirds of the 1,300 respondents said they had experienced a software supply chain attack. Almost 90 per cent believed that they were at risk via a third party. Yet, approximately the same number aadmitted they didn’t deem vetting suppliers a critical necessity.
Given Symantec’s latest Internet Security Threat Report, launched early last year, highlighted that supply chain attacks had increased by 78 per cent in 2018, one hopes organisations heeded the warning signs and shored up their third-party cybersecurity policies well before COVID-19 hit businesses.
Experts fear companies that failed to bolster their cyber defences are now even more exposed because supply chains have become fragmented, and hackers, like great white sharks, smell blood. “Criminal groups have recognised that to catch the big fish they need to catch some smaller fish first,” explains James McQuiggan, security awareness advocate at KnowBe4.
To extend the fishing – or rather phishing – analogy: to net the whopper organisations hackers are scooping up the tiddlers in the supply chain, McQuiggan says, as they “may not have the robust security programs and often unable to afford adequate cybersecurity resources or personnel.