+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Managing Supply Chain Attacks with Cyber Security

Supply chain security is an important but often overlooked step of cyber security risk management. Incidents that affect your suppliers can have as much of a damaging impact on your organisation as a direct attack would. Understanding your supply chain, and the points at which vulnerabilities can be introduced and exploited, is a key step in hardening the cyber security of a business, and it is included as a step in the NCSC’s (National Cyber Security Centre, a branch of GCHQ in the UK) 10 Steps to Cyber Security for this reason. Cyber Supply Chain Risk Management (C-SCRM) helps to manage the risks posed by third-parties, suppliers, and partners. 

 

Consideration of supply chain security is slowly becoming a recognised part of cyber security, however it is still not given much time and attention, despite the severe effects a compromised supply chain can have on the security and daily operations of a business. The UK-based Cyber Security Breaches Survey conducted in January and released in April 2023 found that only 13% of businesses, and 11% of charities reviewed the risks posed by suppliers to their organisation. This breaks down to 27% of medium business, and 55% of large businesses, taking the time to evaluate the risks of their immediate suppliers. This shows an increase for large business from 2022, where only 44% reviewed supplier risks.  

 

A recent supply chain attack occurred against the 3CXDesktop App, an audio and video conferencing app for chat, messaging, video, and voice. This incident caused many national cyber security agencies including the NCSC and CISA (the Cybersecurity and Infrastructure Security Agency, a part of the U.S. Department of Homeland Security) to release alerts and advice for businesses on how to proceed following this issue. This particular supply chain attack took the form of a trojanized version of the 3CX app, which appeared signed, due to a code-level compromise. Assigned the CVE-ID CVE-2023-29059, the vulnerability affecting the 3CX app allowed malicious code to be embedded, which caused the trojanized app to sideload a malicious DLL payload. 

 

This was a wide-spread supply chain attack as the customers using the affected app included high-profile organisations across many industries, including the “automobile, aerospace, finance, food and beverage, government, hospitality, and manufacturing sectors”, according to researchers at Fortinet. The mitigation for this attack as published by the 3CXDesktopApp vendor is to uninstall the Electron App, which is known to be affected by this actively exploited vulnerability, and instead use the PWA web app through a Google Chrome or Microsoft Edge browser, which is unaffected by this flaw. This mitigation allows for customers to continue performing business functions that are reliant on the vulnerable app in a safe way. However, not all mitigations for supply chain attacks can allow for this, so the NCSC advise businesses avoid over-reliance on single suppliers to prevent a supply chain attack from having such a large-scale impact on business function. 

 

One way to defend against supply chain attacks is to perform enhanced security due diligence when first choosing suppliers. This can ensure you choose suppliers who have thought about their cyber security, and therefore are likely to be better protected against and prepared for the effects of a cyber attack. In order to establish a high level of security it is important to understand which parts of security is your responsibility, and which is the responsibility of your suppliers. Writing security responsibilities and considerations into you supplier contracts, including requiring the same level of vulnerability management as you apply to your own business, can further protect from these types of attacks. For supply chain attacks that target software used by your business, having an effective roll-back system in place, and regular backups of your networks and environments can prevent a weakness from a software vendor having too much of an effect on your business.  

 

Since 2021, businesses have seen board members taking on less responsibility for cyber security, which the Cyber Security Breaches Survey determined to be due to “lack of understanding or interest in cyber security relative to the day-to-day operations of the organisation, a lack of training, a lack of time and a perception that their kind of organisation was not facing an especially high risk from cyber attacks”. Having board members and senior management who are willing to engage in cyber security operations results in a larger number of staff following the cyber security directives in their day to day activities. This is because staff are more likely to put in the time and effort to understand and follow cyber security policies and procedures that they consider to be important. This sense of importance comes from the backing of senior management, and staff observing them participating in the cyber security processes. 

 

The NCSC have developed two new free resources to help organisations navigate their supply chain security needs. These are in the form of e-learning modules, that can be used as training for staff, and to accompany the previously published guidance on these topics. The areas covered are Mapping your supply chain and Gaining confidence in your supply chain cyber security (assessing your supply chain). The NCSC suggest that this guidance is suitable for SME’s, large organisations, self-employed traders, and cyber security professionals. Incorporating these free modules into already established frequent security training can help raise awareness of supply chain security across your organisation. 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top