Veracity Blog

Businesses need to be aware of supply chain cyber risks

Businesses need to be aware of supply chain cyber risks

Businesses need to be aware that their data could be at risk if they use third party providers in their supply chain. 

A spate of recent cyber-attacks on supply chain providers has seen sensitive data leaked or held to ransom from organisations including the Ministry of Defence, The Metropolitan Police, and a significant number of charities. 

The BBC reported on a hack which targeted a payroll system used by the MoD and which included name and bank details of both current, and some former, armed forces members. The system was managed by an external contractor and the MoD acted quickly to take it offline. 

The then UK Defence Secretary Grant Shapps told MPs the government had reason to believe the hack “was the suspected work of a malign actor.” 

Speaking in the House of Commons, Mr Shapps criticised the contractor-operated system, saying there was “evidence of failings” by them and that it was totally separate to the core MoD network. 

He told MPs the incident was “further proof that the UK is facing rising and evolving threats”. 

“For reasons of national security, we can’t release further details of the suspected cyber-activity behind this incident,” Mr Shapps said. 

“However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor, and we cannot rule out state involvement.” 

Metropolitan Police investigate potential breach 

Last August the Metropolitan Police investigated a possible data breach after “unauthorised access” was gained to the systems of one of its suppliers.  

The force said the company held names, ranks, photos, vetting levels, and pay numbers for officers and staff, and that it was working to understand what data, if any, had been accessed. 

The supply chain company which was breached was responsible for producing warrant cards and staff passes for identification according to reports at the time. 

A spokesperson for the Met said the force was unable to say when the breach occurred, or how many personnel may have been affected, but added that the supply chain company in question did not hold personal information such as addresses, phone numbers or financial details. 

The incident was reported to the National Crime Agency (NCA) and to The Information Commissioner’s Office (ICC). 

Major charities affected by cyber attack 

The survey company About Loyalty, which works with more than 40 charities, revealed in October last year that one of its sub-contractors, Kokoro, had been hacked. 

Charities that were caught up in the hack included Centrepoint, Friends of the Earth, Dogs Trust, Cats Protection, Battersea and the RSPCA. 

Hackers also stole data from charities and community organisations in a cyber-attack on a Londonderry-based IT company. 

Evide manages data for about 140 organisations across the island of Ireland and the UK, including groups that work with victims of sexual crime. It was targeted in a ransomware attack in April 2023. 

The company said it became aware of the incident when unusual traffic was detected on its network. In a statement, it said: “As soon as we became aware that a third party had accessed our systems, we immediately contacted the PSNI and engaged the services of experienced cyber-security specialists to assist us to contain the issue, support recovery efforts, and conduct a thorough investigation.” 

Steps to minimise supply chain risks 

Supply chain disruptions can put business performance at risk, cause reputational and financial damage, and threaten organisational viability. 

According to Gartner, most organisations should employ a three-pronged strategy to reduce the impact unfamiliar disruptions have: visibility, resilience and agility. 

  • Resilience ensures the supply chain has enough inputs and options to fuel a risk response. 
  • Agility ensures the flexibility necessary to use those inputs to respond quickly.  
  • Visibility ensures the supply chain senses risks early and knows what the best response options are so that it can act accordingly. 

The strategy reduces the impact of unfamiliar risk events when the supply chain cannot reasonably develop response playbooks. Supply chain leaders know they cannot predict which events will occur. 

Disruption shapers 

Gartner’s analysis showed two important findings:  

  1. Organisations can reduce the rate of disruption to their supply chains — something most supply chain leaders dismiss as even a possibility.  
  1. Organisations can strategically shape which risk events will disrupt them, effectively reducing the number of disruptions they experience. 

Gartner refers to these types of organisations as “disruption shapers”. Their survey shows that disruption shapers are likely to experience less than one-third of the disruptions their response focused peers experience. 

These organisations differ from their peers because of the way their supply chains operate. They have fewer processes, sales channels or touchpoints for orders, and fewer countries and sites through which their inventory passes. 

They also have fewer third-party logistics providers, shipping modes and greater distances between suppliers, factories, warehouses and distribution centres. 

Gartner puts this down to the smaller “surface area” in which they operate. 

Of course, this isn’t always possible. Some businesses are too big to reduce their supply chain, others may be too small to employ a chief supply chain officer (CSCO). 

But someone does need to take oversight and start by identifying risks. 

How to identify supply chain risks 

Examine the risks inside the supply chain, as well as those which exist externally and are often caused by customers, suppliers, regulators and NGOs and then assess the materiality – a concept or convention within auditing and accounting relating to the importance/significance of an amount, transaction, or discrepancy. 

For example, to mitigate supplier failure risk, conduct due diligence and supplier audits, and to mitigate cyber risk, develop vulnerability analysis and continuity plans. 

Then, evaluate your risk appetite, documenting the most significant risks that will require enhanced controls. Examples include a single-sourced supplier based in a politically unstable location and key IT systems vulnerable to cyberattacks. 

There is no complete mitigation readiness, there are always going to be events which occur beyond the normal preparedness. But no company is immune to supplier risk or supply chain cyber-attacks. 

Therefore, taking the steps to improve your ability to respond, and to reduce potential risk through effective strategies, is an essential step to take. 

Technology has proven to be a catalyst for improved supply chain risk management. The best companies utilise technology in SCRM strategy, increasing their effectiveness in supplier risk tactics by almost double. 

Veracity Trust Network 

To combat the ever-evolving supply chain cyber-attack threat, you need technology that’s prepared for the unknown risks and can help mitigate the causes of data breaches. 

Veracity Trust Network’s two patented AI-powered technologies do just that and they’re designed to seamlessly fit into your existing security stack without compromising any existing protection. 

They work to mitigate everything from data theft attempts to advertising click fraud and solve problems for multiple business functions ranging from security to finance, marketing to data analysis, customer experience to reputation management. 

Why not get peace of mind for all aspects of your digital business with the complete Veracity Bot Protection Suite? 

Try Ad Fraud Prevention and Web Threat Protection in one powerful bundle: 

https://veracitytrustnetwork.com/ad-fraud-traffic-audit  

, , , , , , ,

Award-winning malicious bot protection.

Cyber Award Winner 2021

AI-Enabled Data Solution of the Year – DataIQ Awards 2023 Finalist

Tech Innovation of the Year Winner – Leeds Digital Festival Awards

Cyber Security Company of the Year – UK Business Tech Awards 2023 Finalist

Best Use of AI – Tech Awards 2023 – Highly Commended

UK’s Most Innovative Cyber SME 2024 –
Runner Up