Supply chain security is an important but often overlooked step of cyber security risk management. Incidents that affect your suppliers can have as much of a damaging impact on your organisation as a direct attack would. Understanding your supply chain, and the points at which vulnerabilities can be introduced and exploited, is a key step in hardening the cyber security of a business, and it is included as a step in the NCSC’s (National Cyber Security Centre, a branch of GCHQ in the UK) 10 Steps to Cyber Security for this reason. Cyber Supply Chain Risk Management (C-SCRM) helps to manage the risks posed by third-parties, suppliers, and partners. 

Consideration of supply chain security is slowly becoming a recognised part of cyber security, however it is still not given much time and attention, despite the severe effects a compromised supply chain can have on the security and daily operations of a business. The UK-based Cyber Security Breaches Survey conducted in January and released in April 2023 found that only 13% of businesses, and 11% of charities reviewed the risks posed by suppliers to their organisation. This breaks down to 27% of medium business, and 55% of large businesses, taking the time to evaluate the risks of their immediate suppliers. This shows an increase for large business from 2022, where only 44% reviewed supplier risks.  

A recent supply chain attack occurred against the 3CXDesktop App, an audio and video conferencing app for chat, messaging, video, and voice. This incident caused many national cyber security agencies including the NCSC and CISA (the Cybersecurity and Infrastructure Security Agency, a part of the U.S. Department of Homeland Security) to release alerts and advice for businesses on how to proceed following this issue. This particular supply chain attack took the form of a trojanized version of the 3CX app, which appeared signed, due to a code-level compromise. Assigned the CVE-ID CVE-2023-29059, the vulnerability affecting the 3CX app allowed malicious code to be embedded, which caused the trojanized app to sideload a malicious DLL payload. 

This was a wide-spread supply chain attack as the customers using the affected app included high-profile organisations across many industries, including the “automobile, aerospace, finance, food and beverage, government, hospitality, and manufacturing sectors”, according to researchers at Fortinet. The mitigation for this attack as published by the 3CXDesktopApp vendor is to uninstall the Electron App, which is known to be affected by this actively exploited vulnerability, and instead use the PWA web app through a Google Chrome or Microsoft Edge browser, which is unaffected by this flaw. This mitigation allows for customers to continue performing business functions that are reliant on the vulnerable app in a safe way. However, not all mitigations for supply chain attacks can allow for this, so the NCSC advise businesses avoid over-reliance on single suppliers to prevent a supply chain attack from having such a large-scale impact on business function. 

One way to defend against supply chain attacks is to perform enhanced security due diligence when first choosing suppliers. This can ensure you choose suppliers who have thought about their cyber security, and therefore are likely to be better protected against and prepared for the effects of a cyber attack. In order to establish a high level of security it is important to understand which parts of security is your responsibility, and which is the responsibility of your suppliers. Writing security responsibilities and considerations into you supplier contracts, including requiring the same level of vulnerability management as you apply to your own business, can further protect from these types of attacks. For supply chain attacks that target software used by your business, having an effective roll-back system in place, and regular backups of your networks and environments can prevent a weakness from a software vendor having too much of an effect on your business.  

Since 2021, businesses have seen board members taking on less responsibility for cyber security, which the Cyber Security Breaches Survey determined to be due to “lack of understanding or interest in cyber security relative to the day-to-day operations of the organisation, a lack of training, a lack of time and a perception that their kind of organisation was not facing an especially high risk from cyber attacks”. Having board members and senior management who are willing to engage in cyber security operations results in a larger number of staff following the cyber security directives in their day to day activities. This is because staff are more likely to put in the time and effort to understand and follow cyber security policies and procedures that they consider to be important. This sense of importance comes from the backing of senior management, and staff observing them participating in the cyber security processes. 

The NCSC have developed two new free resources to help organisations navigate their supply chain security needs. These are in the form of e-learning modules, that can be used as training for staff, and to accompany the previously published guidance on these topics. The areas covered are Mapping your supply chain and Gaining confidence in your supply chain cyber security (assessing your supply chain). The NCSC suggest that this guidance is suitable for SME’s, large organisations, self-employed traders, and cyber security professionals. Incorporating these free modules into already established frequent security training can help raise awareness of supply chain security across your organisation.