Rethinking supply chain resilience as cyber attacks get more disruptive

Guest blog by Simon Borwick, Cybersecurity Partner and Gemma Anduig, Senior Manager, Cybersecurity team at PwC UK #NatSec2024

As organisations’ supply chains have become more interconnected, extended and reliant on technology and third-party providers, they have also increasingly become targets for highly disruptive cyber attacks that can have far reaching consequences on the delivery of key public services, national security and critical infrastructure.

This growing source of cyber risk comes as CEOs are already sensitive to the wider risk of cyber threats to their increasingly tech-powered businesses. In PwC’s 27th UK CEO Survey, 20% of CEOs say they feel highly or extremely exposed to significant financial losses resulting from cyber risks over the next 12 months.

Regulatory changes

There is also increasing regulation around supply chain risk and resilience, with the Bank of England, Prudential Regulation Authority and Financial Conduct Authority setting out proposed requirements at the end of 2023 that critical third parties (CTPs) will need to meet to ensure the resilience of the services they provide to the financial sector. With many new regulations such as the Telecommunications Security Requirements Act (TSR), Digital Operational Resilience Act (DORA) and the Networks Information Services (NIS) 2 Directive all covering supply-chain resilience, organisations will need to be prepared for more scrutiny on this.

Today’s supply chain cyber threats

Supply chain attacks are a type of cyber attack that targets an organisation’s supplier as a way to get access to the organisation’s assets/data, and can take several forms such as:

Software compromise: Attackers inject malicious code into the software (e.g. NotPetya).
Authenticator provider compromise: Attackers steal login credentials from a third-party to gain access. In the 2023 attack on a US identity and access management company, hackers used stolen credentials to access its systems and then ran and downloaded a report that contained the names and email addresses of all Okta customer support system users.
Trusted third-party compromise: Attackers compromise trusted suppliers to exfiltrate data or gain access to the organisation’s systems/networks. This happened in June 2023 when the criminals exploited a vulnerability in a file transfer app used by thousands of organisations around the world.
Denial of service: Attackers disrupt the operations from a key supplier, which has a disruptive knock-on effect on organisations. The largest known denial of service attack on key cloud service providers.

Four key actions to secure your supply chain and protect your organisation

1. Understand your critical suppliers and their risk profile

Organisations must identify and assess their critical third parties, where they have dependencies from an operational resilience perspective. For example, in financial services the EU Digital Operational Resilience Act (DORA) came into force in January 2023, requiring organisations to report which third party arrangements support important business services defined in a firm's operational resilience framework. And for non financial sector organisations, the NIS regulations include requirements around identification and management of critical third parties.

For such third critical third parties, there needs to be more proactive management of the potential risk they present an organisation throughout the third party lifecycle. For example, tighter contracts, due diligence checks/testing of supplier controls throughout the life cycle and not just at onboarding.

Termination is an area that is often overlooked but it is important that exit plans are also in place to limit service disruption, remove access and ensure data deletion.

2. Perform risk assessments and monitor suppliers

Once a supplier has been onboarded it is important that they are regularly monitored and assessed based on their risk profile, which implies that organisations need to be able to detect if the supplier’s risk profile has changed. Organisations not only need to have visibility of their suppliers but also of Nth party suppliers to understand and mitigate multi-chain compromises.

3. Have an incident response plan

Organisations must also make sure they have an incident response plan in place which includes all their critical suppliers. This should get tested on an annual basis to raise awareness and ensure stakeholders are aware of their roles and responsibilities.

4. Use data and technology to maximise efficiency and improve risk radar

Smarter use of technology can also help organisations protect against supply chain attacks. Some 40.9% of organisations surveyed on cyber security by ProcessUnity and CyberGRX said they were primarily focused on threat intelligence and use rating tools to monitor threats. Automation can also be used at many points within the process to increase efficiency, and its adoption is particularly growing in two main areas: performing dynamic automated assessments and continuously monitoring suppliers.

And although still in its infancy, we are also starting to see initiatives using GenAI and we expect this trend to grow and develop rapidly in the coming months and years.

Aggregating data across all the underlying components of your critical business services and mapping across people, processes, technology and third party suppliers allows you to see the impact of disruption on those services and where the gaps are.

But it is critical for organisations to address existing data quality issues across an often fragmented system and data landscape if supply chain risk reporting is going to be reliable. This means addressing inaccurate or missing data through data remediation exercises, backed by ongoing and effective data governance to maintain data quality. And translating raw data on third-party arrangements into meaningful management information is key to ensuring senior executives have real insight into the level of risk.

National Security Programme

techUK's National Security programme aims to lead debate on new and emerging technologies which present opportunities to strengthen UK national security, but also expose vulnerabilities which threaten it. Through a variety of market engagement and policy activities, it assesses the capability of these technologies against various national security threats, developing thought-leadership on topics such as procurement, innovation, diversity and skills.

Learn more