The subject of controlled supply chains is very current. It is frequently discussed in the agricultural sector where a human error can pollute the entire chain and compromise the final product that arrives on the shelves, causing damage both to the consumer and to all the actors in the chain.
In a world increasingly based on connections, the cyber world is certainly not excluded from this type of risk. This is especially true in companies that involve not only employees but also many suppliers. An enlarged network can easily become an amplification of risk, simply because hackers multiply the possibilities of access and thus the points of weakness. In this case, we are talking about attacks perpetrated through the supply chain: the process that allows a product or service to be brought to market, transferring it from one supplier to another, up to the customer.
Suplly chains are becoming cyber criminals’ favourite hunting ground. In fact, according to the latest numbers, cyber attacks have increased by 400% in 2020. The latest case to hit the headlines talks about Ikea, the Swedish furniture multinational, which was hacked thanks to a vulnerability in its mail system, paving the way for the spread of malware among employee emails.
This case has brought attention to this type of attack, which is much more devious and difficult to identify than the more familiar phishing campaigns. The emails containing ‘infected’ attachments or links arrive via the accounts of colleagues or trusted partners and are instinctively opened or forwarded to others, triggering the contamination. In short, the concept is always the same: the user is deceived through an éscamotage that lowers his attention. It is very easy to fall into this trap, which generates an error that affects all the companies in the chain. Obviously, the longer the supply chain, the greater the damage.
How do we protect ourselves from this growing threat?
The keywords are always the same: training and awareness. For the company, but also for its suppliers and partners.
Adequate training on corporate cyber security undoubtedly ranks first among cyber protection measures. This training must be consolidated and then periodically updated through specific training, supported by adequate training programmes.
However, this may not be enough, especially for companies with many external contacts. It is therefore necessary to check the security level of suppliers throughout the supply chain, including the idea of including adequate cyber security awareness training as a requirement for cooperation.
Or, to be sure of alignment on the subject of IT security, the partner in question should have received the same training programme as the parent company. In short, however valuable a supplier may be, its security training can no longer be taken for granted. Especially when someone’s cyber vulnerability can generate significant economic damage and compromise everyones’ hardwork.