Bridging the Cyber Divide You’re the Weak Supply Chain Link

Welcome to the latest installment of Bridging the Cyber Divide, our blog series focused on helping IT professionals at small-to-medium sized organizations make the case for enhanced security solutions. We want to help you win over the skeptics you may face along the way.

In the last edition, we set the scene, exploring the real cybersecurity issues organizations face regardless of their size and how important it is to convince others of this fact if they have purchasing veto power.

This time, we’ll start to look at individual threat trends that should be part of your enhanced security argument. We’ll start by exploring the issue of supply-chain attacks.

How supply chain attacks happen

Folks in the C-level may think because your organization isn’t a Fortune 500 brand that there’s no way any attacker would think to go after your critical IT functions. But the truth is, if your defenses aren’t strong enough, you could be the ideal target if a cybercriminal is trying to get to a bigger fish.

If you do business with other larger companies as part of a supply chain, you’re already a target. In supply-chain attacks, smaller companies are breached as part of an effort to get into the systems of a larger company to gain access to their money or corporate intellectual property.

Any weakness could result in a security incident that impacts you and your supply-chain partners. The most popular and high-profile supply chain attacks involve the stealing of network credentials for those bigger brands and the depositing of malware in their critical systems. This can happen either as a result of human error by employees who are careless with privileged information or through weakened corporate defense systems by the smaller supply chain company.

In these instances, privileged credentials afford the attacker unfettered access for the larger company in the supply chain. Once they’re inside, they can stay undetected for days, months or even years, since it looks like they’re a normal user accessing the system.

The impact of supply-chain attacks

Some of the most significant, headline-grabbing breaches in recent memory have been due to an exploit in a supply chain. A smaller company was breached, leading to a breach within the larger company to which the smaller company had the access.

One of the most famous examples was back in 2013 when Target network credentials were stolen from a Pennsylvania-based refrigeration, heating and air conditioning subcontractor. How did the attackers get in? The contractor reportedly had a data connection with Target for electronic billing, contract submission and project management.

Point-of-sale malware was uploaded to Target’s cash register systems, and Target later informed over 110 credit and debit card holders their information had been compromised in the attack. All told, the breach reportedly cost Target upwards of $300 million.

Along similar lines, the 2014 Home Depot breach that ultimately cost the company $179 million to settle was caused when network credentials were stolen from a third-party vendor.

That same year, JP Morgan Chase experienced a hack where contact information was stolen for 76 million households and 7 million small businesses due to an attack that originated from—you guessed it—a supply chain breach. In this instance, the company’s corporate challenge charitable race website that was serviced by a small data systems company was found to have been accessed by the same cybercriminals.

The impact of impersonation attacks where the attacker takes the approach of pretending to be a trusted partner can’t be ignored. According to The State of Email Security 2018 report, 31% of organizations have experienced an attack from a cybercriminal posing as a third-party vendor or partner. Of that group, 61% suffered data or financial loss when hit with such an impersonation attack.

A survey this summer from CrowdStrike indicated that nearly 80% of respondents believe supply chain attacks have potential to become the biggest cyberthreat over the next three years. Their survey respondents said their supply chain attacks cost $1.1 million on average.

How to make your business case

When you face those organizational skeptics who may not see the value in additional security options on top of what comes out-of-the-box with your systems, making the case back to them about the prevalence of supply-chain attacks is one of the most important arguments you can make.

Making them aware of how an attack on you could not only impact your business operations and employee productivity, but significantly harm supply chain relationships, should send a strong message.

Here are some fears and concerns you could raise:

• Your organization could be found liable for a breach for another organization, and that could add significantly to the cost of cleaning up from the breach.
• If your organization is the source of a supply-chain breach, you’ll undoubtedly suffer damage to your brand, especially if you rely on the trust of keeping data/items/information safe for your customers.
• It’s also very likely this incident would lead to not only the loss of the impacted customers in your supply chain but other customers as well. Why would they stay with you if your systems have been compromised?
• You’re also likely to lose the ability to use larger account customers as references when it comes to trying to drum up new business after an attack.
• In the end, going out of business because of a supply chain attack is a real possibility for any small to medium sized organization. The smaller the organization, the more difficult it’s likely to be to keep afloat.

Hopefully these types of points will allow you to win the argument about cybersecurity. Thanks for reading and stay tuned for the next edition of Bridging the Cyber Divide in December.