Imagine a world in which every American is a subject matter expert in the price and process of purchasing medical services. In this ideal healthcare system, each person actively shops around for medic...
This past Fourth of July weekend, cybercriminals launched an attack that negatively impacted well over 1,000 businesses. From Quartz:
“It all started with a Miami, Florida-based IT services company called Kaseya, which provides security software for scores of large-scale cybersecurity contractors, which in turn sell their security services to thousands of businesses worldwide. After hackers breached Kaseya’s servers on July 2, they were able to quickly leap into at least 40 cybersecurity contractors’ systems. From there, they infected hundreds of businesses with ransomware over the weekend.”
This type of attack is known as a supply chain hack, and it represents a growing threat to U.S. companies. The high-profile SolarWinds attack in late 2020 is another example of a large-scale supply chain hack that has had disastrous and far-reaching consequences for the federal government, American businesses, and their customers.
In this blog post, we’ll take a deep dive into supply chain hacks and the heightened danger they pose for small- to mid-sized businesses. We’ll also give you tips for protecting your company against the negative consequences of a cyberattack.
How Does a Supply Chain Hack Work?
Cybercriminals execute supply chain hacks by targeting companies’ software vendors or IT service companies in order to gain access to and exploit their clients’ systems. This type of attack greatly enhances the level of damage cybercriminals can inflict with a single security breach—it allows them to hit hundreds of birds with one stone.
In a traditional cyberattack, hackers zero in on one target and spend all of their efforts figuring out how to break into that company’s system and access their client or customer data. For large companies, this can potentially impact thousands of their customers, but the attack is carried out within a self-contained system of the targeted company.
With a supply chain hack, however, cybercriminals target a company’s trusted vendors or IT-service providers with the goal of inserting malware into the “supply chain” of software updates that they provide their clients. These vendors and IT companies tend to have hundreds of clients, so a successful supply chain attack would grant cybercriminals virtually unlimited access to all of their clients’ data and the customer data for each company in the supply chain.
Cybercriminals have tended to target major companies and key pieces of infrastructure in the past, but given that supply chain hacks allow criminals to access entire networks of companies from a single access point, small- and mid-sized businesses that wouldn’t otherwise look like appealing marks are now much more vulnerable to attack.
Protecting Your Business Against a Supply Chain Attack
There are three main steps that experts recommend for helping your organization reduce the risk of incurring the negative impacts of supply chain hack:
Step #1: Conduct an audit of your software and IT service vendors.
Your organization’s first step in preventing a supply chain hack should be conducting an audit of all of your external software and IT partners that help keep your business running effectively. If you work with a lot of vendors, you may want to think about reducing this number to cut down on the amount of risk you are exposed to. The more external vendors your company works with, the greater the chance that one of your partners could suffer a supply chain hack and expose your business and your customers’ data to attack.
Step #2: Train your employees to identify common cybersecurity risks.
You train your staff to sell, provide exceptional customer service, and to operate new technology implemented into your company. Cybersecurity training is no different and is critical to building a workforce that is properly trained and dedicated to doing their part to prevent cyberattacks. A few things you can do to get your employees up to speed on cyber security include:
- Establishing policies on what—if any—type of software an employee may download to their computer
- Establish credible sources for downloading software and software updates and inform your employees that they should only trust updates from these trusted sources
- Setting complex character password requirements
- Conduct training that explains the different types of cyberattacks—including supply chain hacks—and how to identify them
- Set expectations for your employees and empower them to report suspicious links and emails to your IT department
The most important part of training your employees is to communicate the importance and the value of protecting customer and colleague information and their role in keeping these things safe.
Step #3: Plan for prevention, resolution, and restitution with cyber liability insurance.
While cyberattacks are devastating for those who are ill-prepared, cyber liability insurance provides valuable resources to help regain lost business. Although prevention should be the primary focus of your cybersecurity strategy, it’s wise to have a plan in place in the unfortunate event that you are faced with a breach. Cyber liability insurance will help ensure that you’re prepared for any repercussions from a cyberattack or data breach, including loss of trust from employees and customers.
Now that cyber liability coverage has gained some popularity, many carriers are able to provide affordable, competitive rates for businesses of varying sizes. While most believe they will not be able to afford it, this product comes at a low premium when compared to the cost of dealing with the consequences of a supply chain hack or other cyberattacks.
Brett Morgan specializes in alternative risk transfer programs, professional liability, Directors & Officers liability, and employment issues centered on protecting clients’ assets. He has an extensive background in understanding property exposures and a customer’s business processes. Brett has taught various seminars on business interruption, protecting your company while conducting business in foreign countries, and protecting your client’s internal controls from theft.