Supply chain hacks are on the rise. But most companies aren't prepared
The UK's cybersecurity agency has told firms to do more to protect themselves from attacks on their supply chains.
The National Cyber Security Center (NCSC) has released new guidance for organizations due to what it says is a recent rise in supply chain attacks.
Privacy
Some notable recent cases include the 2020 attack on SolarWinds' software build system, the 2021 ransomware attack on customers of software vendor Kaseya, and the 2017 NotPetya attack via a Ukraine accounting program. It was on the heel of SolarWinds that US President Joe Biden issued his executive order to strengthen the nation's cybersecurity.
NCSC last February published a document about "defending the pipeline" and urged organizations and developers to automate software development with continuous integration and continuous delivery (CI/CD).
In October last year, NCSC's CEO rated ransomware as the greatest cyber threat, but warned supply chain threats would be here for years.
NCSC says in an announcement that the new guidance is aimed at helping medium and larger organizations "assess the cyber risks of working with suppliers and gain assurance that mitigations are in place."
"It follows a significant increase in cyberattacks resulting from vulnerabilities within supply chains in recent years, including some high-profile incidents such as the SolarWinds attack," it said.
It also wants cybersecurity professionals, risk managers and procurement specialists to implement the NCSC's 12 supply chain security principles.
Not many UK businesses are checking supplier-related security. According to the UK government's 2022 security breaches survey, over half of businesses large and small outsource IT and cybersecurity to third parties. Yet only 13% of UK businesses assessed risks posed by immediate suppliers. These respondents said cybersecurity was not an important factor in procurement.
"Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers," said Ian McCormack, NCSC deputy director for government cyber resilience.
"With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place."
The guidance is split into five stages, covering: why organizations should care about supply chain cybersecurity; identifying and protecting your 'crown jewels' in creating an approach; applying the approach to new suppliers; applying it to existing supplier contracts; and continuous improvement.
US spy agency, the NSA, last month published its software supply chain guidance, which was aimed specifically at developers. That month, the US Office of Management and Budget also issued new software procurement guidelines.