During 2022 and 2023, we saw an increase in the number of supply chain related cyber threats and incidents. Supply chain attacks seek out weaknesses and vulnerabilities within the complex network of suppliers, vendors, partners and contractors involved in delivering products and services to organisations. Threat actors exploit the trusted connections between parties within the chain, usually finding an easy target (for example, an SME vendor supplying goods or services to several larger companies) and infecting their systems with malware in order to gain unauthorised access to the rest of the supply chain. If undetected, the malware can then spread across layer upon layer of organisations within the chain.
Kay Hargreaves, principal cyber risk consultant for Crawford Risk Consulting, advises
“The consequences could be catastrophic, with potential for widespread failure of critical systems and large-scale data breaches. A single attack could affect hundreds of thousands of end users.”
The cyber security industry is talking about it, cyber insurers and brokers are talking about it, all with increasing concern. But is the message reaching the organisations that need to hear it? It is vital that the risks and potential impact is understood by end users, particularly SMEs. Cyber criminals look for the path of least resistance. SMEs often have less resources, more legacy systems (with greater potential for vulnerabilities to be introduced) and a less robust cyber security posture, so they can provide easier points of entry for the threat actors.
Kay says, “Managing supply chain risk isn’t easy; organisations need to think not only about their own suppliers and vendors, but the suppliers of suppliers as well, and even those suppliers who rely on the same suppliers as them. Companies need to identify these supply chain links and flow of data, including who has access into the network and applications. This web of interconnectivity can create challenges in understanding what and where the exposure lies.”
There are risk control mechanisms and processes that can be implemented by companies of all sizes and across any industry to help in mitigating the supply chain exposure. Robust evidence based supplier onboarding procedures including risk assessment and resiliency reviews, baseline security standards that vendors are assessed against, maintenance of contractual controls and periodic audits are just a few such measures that Crawford Risk Consulting’s cyber team would encourage.If you need more details or assistance regarding the mitigation of supply chain risks or any other aspect of managing cyber risks, please feel free to obtain our risk consulting brochure. You can also direct your questions and inquiries to Risk_Consulting@crawco.co.uk.