The Cyber Security Headache Of The Future: SMEs In The Supply Chain
26 September 2017 00:00
Much gets made of the urgent need for larger organisations to improve and revamp their approach to cyber security. But one issue that seemingly glides under the radar is, in fact, one that will be giving companies an even bigger headache in the future -- their supply chain.
In a Verizon report on data breach investigations, 70% of attacks in which there was a known motive, involved a secondary victim.
But it isn’t just the stats that are proving the rise of attacks on third parties - there’s been a number of recent high-profile breaches that have stemmed from security flaws within the supply chain, most of which are SMEs.
Take a look at the NHS for example. In only August this year, their booking appointment system ‘SwiftQueue’ reportedly leaked up to 1.2 million confidential patient records from their database.
Then there’s America’s largest health insurer Anthem Medicare, whose data breach stemmed from their insurance coordination services vendor LaunchPoint, exposing the personal health information of more than 18,000 enrollees.
Of course, this isn’t just an issue with health organisations. UK retailer Debenhams were on the receiving end of a breach in May this year, due to a security flaw by the supplier of their web-based florist business. All in all, 26,000 customers had their data exposed.
Why attack the supply chain?
Large organisations rely on a long list of SME partners and suppliers. Attacking these smaller companies makes an easier gateway for cyber criminals to obtain a treasure trove of valuable data.
Spear-phishing campaigns can be ripe in these attack strategies, with stolen contact information, email accounts and inside company dealings providing the tools to successfully socially engineer a target.
Large organisations are now demanding more from SMEs
With the profile of these kinds of threats growing rapidly, large enterprises are asking for a lot more from SMEs when it comes down to how they practice cyber security.
It's becoming increasingly common for SMEs to have their security protocols scrutinised when trying to win new business. Cyber security conditions can be included in new contracts, whilst third parties can be required to recognise cyber security best standards (such as ISO 27001).
But the fact is, a lot of SMEs out there still aren’t doing enough in their approach to cyber security. Way too many of the small to medium-sized businesses we speak to on a daily basis have no cyber security controls in place whatsoever, and many don’t fully understand the impending changes they will face when GDPR comes into place.
SMEs in the supply chain need to adapt to the (rightfully) increasing demands of larger organisations they work with. A cyber security strategy, understanding of regulations, and effective protocols should and will be the typical measures they will have to demonstrate in the future.
This is especially the case with the soon to be new-look General Data Protection Regulation (GDPR), meaning that enormous fines can be inflicted after a data breach - which can range up to 20 million Euros or 4% of global turnover (whichever is bigger). Large organisations will be pulling everything in their power to avoid these fines.
Invest now instead of paying later
Within small to mediums sized enterprises, one of the overriding cyber security issues they face is with their human firewall. Technology aside, the main source of data breaches within them arise from poor security awareness from employees at all levels.
Unfortunately, many smaller organisations still see cyber security as an IT-only area. This is despite the increasing threat of issues such as phishing, spear phishing and CEO fraud hitting SMEs in record numbers.
Along with the technological approach to cyber security, one of the most important steps an SME can take to improve their security measures and assure future partners of their dedication to information security is with employee awareness training.
This is especially important as a growing number of large companies are seeing cyber security awareness training as one of the deciding factors into whether or not they should offer a contract.
Educating end users on the risks they face can significantly add to the cyber resilience of the business, and strengthen their position in the supply chain.