Is your small business being targeted by supply chain hackers?

Gill Langston 23 Jul 2019

Find out how to protect your business from being the weak security link in the digital supply chain

The way we do business has completely changed over the last several years. Paper trails have been replaced with digital footprints and tech-savvy solutions are flooding the market. This move to digitization can be wonderful for modern businesses. It increases business efficiency and speed, especially when it comes to supply chains.  A new vendor, third-party software provider, or partner can be connected to a business with the click of a button, but the security posture of new business partners can often be overlooked — exposing you and other companies in your supply chain to increased risk. 

Digital transformation initiatives are creating a more vulnerable landscape for businesses. Finding and onboarding new partners may be easier than ever, but these increased connections between companies aren’t always secure and cyberattackers can use them to access data. According to a survey conducted in 2018 by the Ponemon Institute, 56% of organizations have had a data breach that was caused by one of their vendors. Most notably, Target experienced a wide-scale breach in 2014 that affected upwards of 70 million customers due to its HVAC supplier, Fazio Mechanical Services (FMS). Once hackers gained access to the smaller target, FMS, they were able to gain access to Target’s network through the digital supply chain. 

IT leaders are often aware of the risks, but aren’t sure how to implement the necessary precautions. According to a Spiceworks survey, 44% of security and IT leaders said their companies had experienced a significant, business-altering data breach caused by a vendor. Nearly 250 companies that participated in the survey said they experienced a data breach because of security lapses in one of their suppliers. But, shunning  suppliers and distributors isn’t a viable option. The answer is to ensure visibility into your supply chain and strike a balance between connectivity and security.

So, what actually makes up a digital supply chain? 

Vendors, partners, suppliers, distributors, or any third-party entity involved with a business make up supply chains. Outsourced connections could be handling accounts payable, product development, website management, or in Target’s case, even maintaining physical facilities. Having an endless digital supply chain creates an issue with data privacy. In today’s environment, data is flowing not only through a company, but between third parties, partners, and between users and their devices as well. This is why data breaches are so common. Access points for data are everywhere and safeguarding private information can be daunting and expensive – especially for small to medium businesses (SMBs) who have turned into an attractive target for cybercriminals. Nearly half of cyberattacks and breaches are now directed at SMBs. Why is that?

SMBs are the key to accessing larger enterprises 

Supply chain attackers target SMBs to gain access to larger enterprises through any digital connection. For example, Equifax blamed its huge data breach on a flaw in an outside company it was using. The attackers simply targeted a smaller company with less security. More recently, Freedom Mobile, a wireless phone provider in Canada, announced a widespread breach that was caused by a security hole created by a third-party service it was using. This is why it’s important to monitor the links on your digital supply chain and for SMBs to have enterprise-level protection in place.

Small and medium businesses (SMBs) are targeted because: 

  • They have less budget and fewer resources to defend against a cyberattack, which makes them attractive targets 
  • SMBs often lack strategic security measures and trained personnel —only adding new, disparate solutions when they find the resources, leading to more attack surfaces and less cohesiveness 
  • It may take SMBs longer to detect a breach. According to Verizon’s 2018 Data Breach Investigations Report, 68% of breaches took months or longer to discover

The impact of a supply chain attack on an SMB 

You may be wondering what the implications are for SMBs. What happens if you’re identified as the weakest link? Not only do you risk being the source of infection for multiple companies, you risk destroying your own business as well. According to the Ponemon Institute, it costs small businesses on average $690,000 to regroup after a hack, and over $1 million for mid-market companies. This may seem trivial in comparison to high-profile enterprise breaches, but SMBs are often unable to continue normal business operations — they even risk losing their companies altogether. 

The cost of rebooting operations, lost productivity, and system repairs are not the only negative impact to SMBs affected by supply chain attacks. The European Union’s General Data Protection Regulations (GDPR) can affect SMBs who collect personally identifiable information.  These regulations include mandatory breach reporting, with fines for organizations that don’t report a breach within 72 hours of detection. The penalties are steep, going up to 4% of global annual revenue or 20 million euros ($22.4 million), whichever amount is higher. 

It’s quite clear how devastating breaches can be. Digital connectivity is only putting a bigger target on small and medium businesses.  So how do SMBs lock down their link in the chain?

Defending your business 

Educate the frontline — your employees 

The first step in securing your network is education. Holding trainings, informative meetings, webinars, or even sending email reminders can help employees spot phishing tactics and fake websites. It’s important to stress the impact of a hack or breach on the business to motivate employees to be more careful. 

Monitor accounts and access levels

Only necessary users within your organization should be granted administrative access to tools and platforms. Old accounts of former employees or former partners should be removed. Keeping track of this is critical. Account passwords should be changed regularly, with strong password combinations and two-factor authentication. Remain aware of any applications or programs your employees are accessing from company devices; implementing content filtering or a secure web gateway can also help protect users from unsecured web pages. 

Keep software patched 

Cybercriminals target and benefit from unpatched software. It’s an easy way for hackers to find a hole in your security strategy. With new patches being released quite often, IT teams find it hard to keep up. Patch Management software helps businesses centralize comprehensive patching and ensure the security of the network. 

Utilize firewalls, secure gateways, and antivirus solutions 

New attack methods are popping up rapidly. Robust cybersecurity solutions provide a barrier between your network and the bad guys. Placing antivirus software on all devices, a network firewall, and secure gateways reduce the risk of a costly breach and provide peace of mind. 

Staying protected in a digital supply chain

Whether you’re concerned about being the target, or about your own third-party connections lacking sufficient protection — being secure starts with awareness. In this case, acknowledging the vulnerabilities that inevitably come along with digital connectivity. Below are a few ways you can determine the level of security in your digital supply chain and how to implement protection.

  1. List your vendors, suppliers, distributors, resellers – really any company or individual that has access to your data or is connected to your company in some way. In a recent survey, only 35% of companies had a comprehensive list of all third parties they were sharing sensitive data with – and only 18% knew if their vendors were sharing that data with other suppliers.
  2. Determine what data each vendor has access to – credit card information, Social Security numbers, addresses? 
  3. Figure out whether each vendor is sharing data from your company through their own supply chain. Vendors could be selling data from your business to research or marketing firms. 

Steps to protect your business: 

  • Remove access where access isn’t necessary. Creating and enforcing privilege levels can help determine which individuals should have access to different areas of your data.
  • Educate employees who work with third parties on how to safeguard data. No matter how long the vendor has been in business with your company, the same security guidelines should apply.
  • Implement required security accreditations, such as Cyber Essentials and/or ISO/IEC 27001 information security management. These accreditations verify that companies are following a baseline level of security for their clients or vendors. 

Install business-level cybersecurity solutions to protect yourself. Things do slip through the cracks sometimes. It’s important to have several layers of security in place to protect your network from the unpredictability of cybercrime.

--> -->