Type an email address into DeHashed or similar and there is a pretty good chance it will appear as one of millions scraped or exposed on the Internet every single day. That email is an identity. Guess the password attached to this identity (not hard given how weak most passwords are. Password1, anyone?) and a hacker has instant access to everything attached to that identity. Sometimes they don’t need to guess, the password will be conveniently placed next to the email in a poorly configured database.
In the end that’s what most cybercrime activity is, industrial scale mining of credentials that may or may not be used to launch a full-scale attack on another organization. Just like the recent blitz on MGM’s Las Vegas resorts. The house always wins? Not today pal.
The ubiquity of credential theft is such that we are now blasé about credentials being stored on criminal databases. Look at my results on DeHashed in Figure 1 below; 11 breaches. Am I shocked? No. Am I worried? A bit. Have I stopped using that email and changed loads of passwords? Do you want me to tell you the truth…
What has this got to do with the supply chain?
Well, a lot. Does your company have a supply chain? Probably yes, even the smallest business will have suppliers, even if it is just an Amazon or Costco account. Attacks in the supply chain are now top priority for cybercriminals because they know that employees are as useless as I am at using passwords and protecting them properly. They also know that everything is connected to everything else. What employees do at work mirrors what they do at home (today often the same thing). Myriad accounts are set up with the same username and password over and over. The difference being that business accounts are connected to the business. Now consider this. Everyone is in a supply chain. The effectiveness of your access and identity management processes affects YOUR partners. We are all in this together!
Why should you be worried?
Modern supply chains often rely on a multitude of third-party vendors, each with their own very different cybersecurity practices and vulnerabilities. An attack on one vendor can cascade throughout the entire supply chain and into other supply chains – hence the attacks that hacked an ID provider so the attackers could access the ID provider’s customers. The sharing of sensitive data across the supply chain can lead to data breaches. This includes not only personal information but also intellectual property and trade secrets.
Cybercriminals often exploit the human element in supply chains through phishing emails or social engineering attacks, tricking employees into revealing credentials or using them as mules to inject malware.
But you should mostly be worried because the supply chain is a Pandora’s Box and impossible to secure fully. We cannot univent the internet, digital supply chains make everything work, but remember: every time someone opens a business account on Amazon in your organization, another black hole appears, another set of credentials is waiting to be scraped. And that is happening all the time.
Figure 1 DeHashed. I have hidden my email here to protect my email - the irony!
Reducing Supply Chain Cybersecurity Risks
While it may be impossible to eliminate all cybersecurity risks in supply chains, companies can take proactive steps to minimize these threats:
- Vendor Assessment: Conduct thorough cybersecurity assessments of all third-party vendors and partners. Ensure they adhere to best practice and security standards.
- Data Encryption: Encrypt sensitive data at rest and in transit. Limit access to data on a need-to-know basis.
- Employee Training: Educate employees about the risks of social engineering attacks and phishing emails. Establish a culture of cybersecurity awareness.
- Patch and Update Systems: Keep all systems and software up to date with the latest security patches. This includes legacy systems that may still be in use.
- Incident Response Plan: Develop a robust incident response plan that outlines steps to take in the event of a breach. Introduce regular practice drills to ensure readiness.
- Monitoring and Detection: Implement continuous monitoring and threat detection systems to identify and respond to potential threats in real time.
- Supply Chain Resilience: Diversify suppliers and have contingency plans in place to mitigate the impact of disruptions caused by cyberattacks
Figure 2 The UK National Cyber Security Centre is a good source of information on supply chain security.
We are the Supply Chain!
Finally, consider that you too are part of someone else’s supply chain even if it is not immediately obvious, but you sell stuff, right? You are connected? By beefing up your cybersecurity measures and identity management capabilities you can do your part in protecting the global supply chain!
A good place to start is at KuppingerCole’s cyberevolution, the must-attend event for cybersecurity professionals in any point of their career, who not only want to learn about the deployment of traditional as well as unconventional cyber defense methodologies and strategies, but also want to gain a better understanding of the growing relevance of cybersecurity for businesses. Relevant highlights include:
Workshop with Florian Jörgens Chief Information Security Officer Vorwerk SE & Co. KG
Tuesday, November 14, 2023 11:00—12:30
Thursday, November 16, 2023 11:35—11:55