Is Your Supply Chain Exposing Your Data to the Unknown?

In 2015, 90% of SMEs in the UK suffered a security breach.

What does this mean in practice, aka, what was the actual damage?

For starters, the average cost of a data breach for an SME ranges between 1.46m and 3.14m GBP. But whether you’re a small business or a larger enterprise, your business supply chain is inevitably made up of SMEs, and this should be the main concern for us all.

What makes SMEs so prone to these breaches? What are the targeted SMEs doing ‘wrong’, and where do their weakest vulnerabilities lie?

Once we answer these questions, it’ll be much easier to make sure our data is…  un-breachable.

For SMEs to be sufficiently ‘breach-proof’ (if such a thing exists), their understanding of risk and risk management must be aligned with the real dangers in their midst.

Our question now becomes: When SME leaders take precautions against cybersecurity, do they know the threats they should be concerned about? Is their risk appetite aligned with their business goals? Do they know what to look out for? And what they need (and will) do differently?

SMEs Make up 90% of our Supply Chain

SMEs seem to be on the ball;

94% of the surveyed procurement leaders told KPMG Supply Chain Research that cybersecurity standards are important when choosing an SME supplier, and two-thirds of these leaders require their external providers to prove their cybersecurity accountability as a prerequisite to collaboration.

The procurement SME leaders and chief risk officers concerns are well aligned with reality; stats show that almost 80% of data breaches are caused by supply chains.

Deloitte reports that 48% of their 600 survey respondents confirmed an increase in supply chain security events that negatively impacted their business, and these impacts are increasing with time — in both frequency and severity.

Risk Assessment for SMEs: Don’t Forget the Bigger Picture

This is where businesses (both smaller and the larger enterprise) get caught by surprise;

Despite the awareness level that SME leaders seem to have about how paramount supply chain security is to the stability of their businesses and their partners, KPMG shows that less than a quarter of SME leaders cited cybersecurity as one of their top concerns, and 51% of these leaders “think it’s unlikely or very unlikely that they’d be a target for an attack”.

If SME business leaders know how critical the supply chain risk is, why are they so lax about their own breach resilience?

SMEs in the Supply Chain: A Means to an End

While SME leaders are indeed correct in their thinking that they would unlikely be the target, since the larger enterprises are a much more lucrative address for cyber criminals who are money hungry, they are indeed flawed in their expectations.

Although hackers may not be interested in the credentials and databases that constitute SME digital assets, SME suppliers are nonetheless part of hackers’ master plan;

As soon as a hacker intercepts a (less secure) SME supplier who provides for the larger enterprise, they have gained access to one of the top attack vehicles of our times. A strongly integrated supply chain, offers the best platform a hacker could ask for to gain access to the end target.

The “Most Significant Data Breach in History”: A Supply Chain Failure Nonetheless

The Target breach earned this title among Forrester’s VP and Principal Risk Analyst, John Kindervag.

Once Target’s HVAC vendor, Fazio Mechanical Services, were phished by hackers, who wisely chose an SME supplier who they (correctly) expected to lack sufficient cyber awareness and planning to withstand these types of attempts at cyber crime.

The hackers had accessed the supplier’s networks, only to find out that they could gain access to a remote access tool that will allow them to infiltrate Target’s own network.

Ultimately, the hackers used the opportunity to move into Target’s network and to propagate between their different networks and accessing the point of sale endpoints. Successfully pushing a malware to “a majority of Target’s point-of-sale devices…and actively collecting credit cards from live customer transactions”.

The hackers went home happy — with 11GB of personal credential data of 70 million Target customers.

One Step Closer

The Target story tells it all. It wasn’t Target’s direct assets that the hackers were able to infiltrate.

Instead, Tessa88 and Peace_of_Mind (the Target hackers’ pseudonyms) thought ‘outside the box’.

By intercepting the SME supplier that Target used (a heating and air-conditioning contractor), Tessa88 and Peace_of_Mind got the best they could have hoped for: the credentials of 70 million Target shoppers.

Although these shoppers have no direct interaction with HVAC, and the most they know of each other is the comfortable temperature that HVAC provided in Target retail stores, once HVAC was a link in the Target supply chain, access to the vendor meant access to it all.