June 23rd, 2021
Not opening links in emails from a unknown senders and making sure you have strong passwords are just a few ways you can protect yourself from cyber attacks. We think it’s safe to say that the majority of us know this by now.
But now there’s a fairly new variation of cyber attacks: supply chain attacks. According to the U.S. National Institute of Science and Technology (NIST), an estimated 80% of cyber attacks worldwide occur through supply chains. These types of attacks are more common than you might think, and the scary thing is that it's a lot harder to protect yourself (and others) from them. That’s because, with supply chain attacks, you aren’t usually attacked directly. The attack is most often via your supplier, or your supplier's supplier, or your supplier's supplier's supplier. Shall we go on?
What Is a Supply Chain Attack?
A supply chain attack occurs when a hacker penetrates a system through an external partner or supplier and, as a result, gains access to your data and systems.
In general, supply chains consist of large, complex networks of manufacturers, distributors, retailers, and more, all of whom are likely to interact digitally. If hackers manage to infiltrate just one of these many links, they can quickly gain access to many more. Supply chains are like candy stores for hackers, and they’re always looking for new and more sophisticated ways to strike.
Supply chain attacks are an emerging threat, and software providers are a main target. That's one of the main reasons why TIE Kinetix finds it enormously important to ensure a secure platform for document exchange.
Supply Chain Attack on SolarWinds
Just check out this real-life example. It’s not exactly a document exchange case, but certain exchange methods—like SMTP—pose a similar threat for those that send and receive invoices and other business documents via email. Here’s what went down:
Between March and June 2020, Orion, a popular network monitoring product from SolarWinds, came out with a new software update. Included in this update was a Trojan horse. As in the Greek fable in which Odysseus (a war strategist) hid with his soldiers in a wooden horse to invade the city of Troy, there appeared to be nothing wrong with the update at first glance; the malware in the update was disguised.
What happened is that the attackers had taken control of SolarWinds' infrastructure, allowing them to hide malware in updates sent to customers. These customers included 425 companies in the U.S. Fortune 500, all ten of the largest telecommunications companies in the U.S., all five branches of the U.S. military, the Pentagon, the State Department, NASA, the Department of Justice, the Office of the President of the United States, the five largest accounting firms in the U.S., and hundreds of universities and colleges worldwide!
Not All “Digital” Documents Are Secure
Supply chains are becoming more and more complex, and this opens them up to additional risks. Since the onset of the corona pandemic, and even before that, an increasing number of public and private organizations have begun digitalizing their supply chains. As a result, more and more critical business information is also becoming digital. However, it’s important to note that not all “digital” documents are equally secure.
For example, it became legal to send PDF invoices via email around 10 years ago. But just because it’s still permitted today doesn’t mean that it’s secure. That’s because email uses Simple Mail Transfer Protocol (SMTP), and this communication protocol is vulnerable to attacks. Slightly expanding on this, there are a lot of security risks associated with sending PDF and/or XML documents via email.
How You Can Protect Yourself Against a Supply Chain Attack
Unfortunately, there’s no single and straightforward solution for preventing supply chain attacks. However, there are certain precautions you can take that can minimize the chance of an attack and its overall impact on you and your trading partners.
As already mentioned, supply chain attacks can occur via the digital communication you have with your suppliers, customers, and partners. Therefore, it’s important to make sure all of your critical exchanges, especially those that contain financial data, are as secure as possible. Here are some steps you can take:
1. Opt for secure document exchange networks and communication protocols. Avoidsending business documents via email. Our PDF-2-FLOW solution enables the secure exchange of business documents in both PDF and XML format via our TIE Communications application. It’s a much safer alternative to email, and it’s easy to install.
2. Understand the risks involved in your supply chain. Risks in your supply chain can take many forms. To avoid data breaches, make sure to have good collaboration with your trading partners and clearly communicate security requirements.
3. Know your trading partners. In line with the previous point, it’s important to know exactly who has access to which (sensitive) information, systems, and data. This is all part of risk management—you have to know how your partners are handling their own data and decide for yourself whether or not that lives up to your expectations.
4. Be critical of new service providers and trading partners. Always conduct a risk analysis and evaluate the security measures that your (new) partners or (software) providers take to protect their business data. And don't forget to follow the same procedure regarding the requirements they set for their partners and/or suppliers.
5. Plan your response in the case of a supply chain attack. If a cyber attack does happen, make sure you have a clear course of action. As the saying goes, preparation is half the battle, and this is certainly true when it comes to supply chain attacks. The more prepared and aware you are of the risks, the faster you can detect and resolve them—not only for yourself, but also for all of your business partners.