Supply chains can be large and complex, involving many suppliers doing many different things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption.
Despite these risks, many companies lose sight of their supply chains. More than 90% of firms across the globe have experienced breaches as a result of supply chain weaknesses.
With the recent sanctions placed on Russia, now would be a good time to check any third party services you may have been receiving from within your supply chain. Any organisation that is using any Russian services as part of their IT infrastructure may need to look at whether they are still obtaining that service.
There has been some concern in the news more recently around Kaspersky users (Moscow based antivirus software) that this service could be exploited by Russia. This concern has amplified since the increase of sanctions and them not being paid, therefore they may wish to withhold or suspend their services as a result. It is advised that anyone who has any Russian software in their supply chain may need to take a second look to ensure they are still being covered.
Supply chain attacks can be used for a number of purposes, delivering ransomware, breaching confidential data or introducing vulnerabilities for further attacks.
The NCSC has developed 12 key principles for Supply Chain security which will help improve awareness and support the implementation of good cyber security practices.
A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. So, the need to act is clear.
Organisations need to manage security risks to network and critical information systems that link to external suppliers, ensuring appropriate measures are used by third parties.