Why security aware employees are business’ best defence against supply chain attacks

806 Views

Like any facet of technology, cybercriminals and their methods of executing cyberattacks are constantly evolving. This is certainly true for a specific type of cyberattack, the use of which has surged over the course of 2022 – supply chain attacks. Supply chain attacks involve hackers gaining access to their intended target by looking for weaknesses in a company’s supply chain, often found in service providers with lower security standards. With cyberattacks evolving in this way, it is crucial for businesses to be aware of the latest methods cybercriminals are using to target them.

Here are some of the most popular methods of supply chain attacks that businesses should be aware of to protect themselves against them:

Malware infections

Supply chain attacks very often begin with a malware infection. While there are different types of malware that perform different processes, their purpose is to be secretly inserted into an organisation’s computer system to then slowly spread throughout the supply chain. For example, ransomware collects and encrypts valuable data which the hacker can try and ransom back to the target organisation. Spyware observes and tracks activity on a system and is often used to collect login credentials for further use. Backdoor malware, such as a Trojan Horse, enables the hacker to gain remote access to control programmes – often being used as the launch site for a supply chain attack. These different forms of malware exploit any kind of vulnerability within a supply chain with incredible effectiveness.

Social engineering

The hugely important role human behaviour has in determining the success of a cyberattack is often overlooked. Hackers frequently exploit human traits such as trust and fear via social engineering, hoping victims get tricked into installing malware, disabling security features or disclosing confidential information. Phishing and smishing (phishing via SMS or other messages) are both common forms of social engineering, with users often more careless with smishing and often respond quicker than they do to emails. For example, in July last year, president of the European Central Bank, Christine Lagarde, was targeted by cybercriminals using German Chancellor Angela Merkel’s real mobile number. This demonstrates not only how high cybercriminals will aim but also their ability to gain valuable information such as Angela Merkel’s phone number. How they did this is still unknown.

Brute-force attacks

Brute force attacks, often used to gain sensitive data, are based on trial and error. Cybercriminals will try to guess an employee’s login details using tools designed to test as many different combinations as possible. Once successful, hackers will most likely infect the company’s system with malware with the potential to cause untold disruption.

Software vulnerabilities

Despite software manufacturers’ meticulous design and intense security testing, no software is infallible. Even the ‘most secure’ software will have vulnerabilities – and cyber criminals know this and will try to exploit this. In many cases, exploitable flaws need only be temporary so the hackers can use day zero-day exploits, such as manipulating and running updates. This occurred last January when a hacker group known as Lapsus$ targeted Okta, a provider of authentication services. The hackers discovered a vulnerability within the systems of Sitel, one of Okta’s service providers, and logged into an employee’s laptop using remote maintenance software – remaining undiscovered for two months. This demonstrates how effective cybercriminals can be at remaining undetected while their malware spreads through supply chains causing untold disruption.

The role of awareness

The methods of supply chain attacks outlined above demonstrate how innovative and effective cyberattacks have become. No matter what, every piece of software and every organisation’s digital infrastructure is vulnerable to cyberattacks one way or another. On top of this, cybercriminals are also keen to utilise emotional manipulation when it presents more opportunities than other methods.

While these methods have proven to be effective tools for cyber criminals, businesses can vastly reduce the risk of supply chain cyberattacks instigated via the above methods. By ensuring that employees are integrated into a hands-on cybersecurity training strategy, businesses can educate their staff to be aware of the most common cyberattack methods. This training must include active, modern security awareness training; practical exercises and realistic simulations. Simple explanations and passive knowledge are not enough to prepare employees for how real cyberattacks would involve them. Tools such as behavioural science and psychology are key to understanding and focusing on each learner’s needs.

Businesses can reduce the risk of cyberattacks by up to 90% with these kinds of systematic and individually tailored training measures. While the risk of cyber-attacks is always present and businesses should always be prepared for them, proper awareness amongst employees is a huge benefit to an entire organisation’s cybersecurity.