Latest News

Supply chain security has been forgotten yet it’s one of today’s biggest cyber risks

James Griffiths, Co-founder and Technical Director of Cyber Security Associates (CSA), considers a commonly overlooked area of cyber risk

  • The Government’s annual cyber security breaches survey reveals that only 13% of businesses have assessed their suppliers’ cyber risks
  • Organisations must get their chain security in order as this is a significant growing threat as shown by the recent okta attack

“Today’s Government annual Cyber Security Breaches Survey 2022 identifies some concerning findings around the supply chain.  Only 13% of businesses have assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process. Yet between 55% and 60% of businesses are outsourcing their IT and cyber security to an external supplier.

“There is a clear rise in the number of supply chain attacks as demonstrated by the recent rise of big names, like Okta and Microsoft, suffering recent breaches. It shows that even large security-focused organisations are not immune to the kind of attacks we are now seeing by cyber hacker groups such as Lapsus$, and failing to secure the weaknesses that hackers will expose in the supply chain.

“In Okta’s case, this happened back in January and was only made public in March once the Lapsus$ group published the data so attackers are often lurking inside potentially infecting organisations for over two months using legitimate credentials. So, many of these businesses surveyed by the Government may be unaware of what malware has already entered their networks through their external suppliers.

“Organisations must continually monitor the third parties they use for key critical solutions, such as identity access management (IAM) and privileged access management (PAM). By doing so, should something like this happen, they are in the best place to independently identify and respond appropriately.”

Attacks happening once a week – how to stay secure

“Alarmingly around a third of businesses and 26% of charities have experienced an attack at least once a week although this could be much higher as the Government’s survey report notes that the business sample for the 2022 publication is 12% smaller than the previous year. There has been a gross national underinvestment by Government and CNI provider in UK security infrastructure in the last 10 years which hasn’t helped UK public services and UK PLC in the fight against cyber attacks and extortion.

“Checking if your organisation is a cyber risk every 12 months, as the Government’s survey reveals, isn’t enough. You should be penetration testing your network at least every month. Also, when was the last time you reviewed and tested your disaster recovery plan? Most companies don’t test their recovery plans until it’s real time, which could be too late to check plans are resilient to today’s threats. Yet the pandemic has seen businesses change considerably. Are the applications you have in your plan still valid? Have you tested your plans since moving your staff to home working?

Banks must ensure that they’re doing their resilience checks, following the NCSC guidelines. Organisations with foreign links need to check that they’re patched, they’re multi authentication enabled, and aware of what’s going on their networks.

This continually developing situation, with many threats ever present in cyberspace, means that everybody is under threat and no one is off limits to an attack.

War on Ukraine has given a free licence to criminal gangs

“Our Security Operations Centre (SOC) has seen threats accelerate rapidly over the last year as states like China and Russia remain an ever-constant threat upon the western world. This has amplified as a result of the conflict in Ukraine.

“Ransomware remains one of the biggest threats on UK national security, as businesses cited in the Government survey that it remains a major threat and the Russian war on Ukraine has magnified this threat further as we’ve seen hacking groups, whether individuals or IT companies, join forces with criminal cyber gangs like Anonymous to fight the Russian threat. The war on Ukraine has given a free licence to criminal gangs. Yet we’re still operating in a country where it’s illegal to hack and giving hacking groups a free rein in breaking UK laws such as the Computer Misuse Act could have serious consequences on current and future security of the UK.

“Since the Ukraine crisis no one is ‘off the table’ when it comes to being breached. We’ve seen this by the ability of hacking groups like Anonymous to swiftly penetrate and take down the Russian equivalent of NSA, which isn’t the sort of level of security access that happens overnight.

“Partnerships between legal cyber technology companies and Government, remain key to the Ministry of Defense’s strategy to meet the ever-demanding threats and technological advances, as Richard Moore, Head of MI6 stated last November. Even then though, commercial IT firms partnering with Government departments will increase security risks and need careful management.”

About the author

James Griffiths is Co-founder and Technical Director of Cyber Security Associates (CSA). James, along with all CSA staff, have enhanced Government security clearance. The Survey covers the period October 2021 to January 2022.  

James has worked in cyber security for over 15 years, including a distinguished career as an Army Royal Signals Senior Operator, spending the last five years of service working as an Operator providing cyber offensive capability to the UK government, including MOD and GCHQ.