Supply chains are increasingly under attack from hackers taking advantage of global disruption, a new report by cybersecurity firm Risk Ledger has showed.
Smaller players across supply chains are being particularly targeted by cyber criminals looking to intercept sensitive data and commit fraud. Documented instances of attacks against larger organisations through their suppliers skyrocketed by 600% in 2022.
This is because smaller suppliers are “under-resourced against the current economic backdrop”, said Risk Ledger’s chief of staff Emily Hodges.
“Their systems are often very manual and spreadsheet-based,” making them easier targets, she said. “And with supply chains being so critical at the moment, cyber criminals will target the weakest areas.”
This is what happened with frozen food specialist Cook, after a “human error” left its IT systems at its Sittingbourne manufacturing site exposed to cyber criminals in December 2021.
The attack wiped an estimated £2m from the company’s EBITDA and forced it to shut down its website in the lead-up to Christmas.
Even the supply chains of bigger retailers and manufacturers can be targeted “through the smaller players and outsourced firms because of the distributed nature of their IT systems”, Hodges said.
Risk Ledger’s report showed companies “rarely run security assurance against more than 10% of their immediate third-party suppliers”, while visibility into the risks existing further down the line remained “almost non-existent”.
This means suppliers that have access to a shop’s point of sale systems for stock management purposes might be more easily targeted by criminals looking to steal customers’ bank card data or personal information to commit fraud.
“Whether it’s lone wolves or organised criminals, this type of data can be sold for quite high value on the dark web,” Hodges said.
She added supply chain cyberattacks “are somewhat inevitable at the moment” and that ransomware particularly “has been really common the past couple of years”.
German frozen food supplier Apetito was a victim of ransomware last June, causing “significant disruption” to its UK operations and halting deliveries for days.
McCoy’s and Hula Hoops maker KP Snacks was also forced to stop operations in February last year after hackers threatened to reveal employees’ personal information unless a ransom was paid.
While the authorities generally advise companies not to pay criminals, many end up doing so over fear of further disruption – in May 2021, Brazilian meat giant JBS paid cyber criminals around $11m after an “organised cybersecurity attack” forced its factories to shut down for several days.
The EU Agency for Cybersecurity (ENISA) has also recently identified “supply chain compromise of software dependencies” as one of its top 10 cybersecurity threats to emerge by 2030.
“It is impossible for an organisation to guarantee 100% security,” Hodges said, “but by keeping systems up to date, understanding the level of security control a supplier has in place at any one time, and having the communication mechanisms to respond quickly when it does happen, they can avoid the worst of the impact”.
She warned businesses they should have alternatives in place “to bridge the gap in food supply until the supplier who suffered the incident is back up and running” as cybercrimes are only set to increase.