Don’t be the weakest link in your supply chain



If you were following the news at the weekend, you will have undoubtedly heard of the enormous cyber-attack which hit the Florida-based company, Kaseya - an IT management software provider.


The ramifications of such a lethal attack have had, quite literally, far-reaching effects, with roughly 1,000 businesses across the world being potentially impacted, all of which are part of the Kaseya supply chain. For example, 500 Coop supermarket stores in Sweden have been forced to close and nine New Zealand schools are reporting some form of disruption, to name but a couple.


According to the Ponemon Institute, 60% of US and UK companies have experienced a data breach caused by a vendor or third party. Although big businesses are usually the overall target, these normally have very secure systems, so criminals look at SMEs, who are in the initial target’s supply chain and someone who is trusted, hoping they will be easier to infiltrate.

So, what is a supply chain attack?

This is where a criminal infiltrates a specific company to create a backdoor for data theft and/or infects the supplier with ransomware, stopping the service from running and ultimately impacting their customers (similar to what’s now happened to the US IT firm Kaseya).

Why do criminals do it?

Like most things, criminals do it for money. They will use the “backdoor” they create to steal information, such as personal and financial customer data. This theft can be masked by encrypting the victims’ data to hide what exactly may have been taken. The criminal then demands money for the decryption keys and in the case of Kaseya, REvil, the organisation behind the attack, is now demanding $70million ransom for the decryption key.

What can SME businesses do?

· Make sure that your business is as cyber resilient as possible. Joining the ECRC and achieving Cyber Essentials is a great first step if you are not sure about how to start.

· Know who your suppliers are and ask them about their security. Look for businesses who have a cyber resilience accreditation, such as Cyber Essentials.

· Ensure that your suppliers only have the access that they require. Assume that your supplier will get compromised, what is your plan when this happens?

· Review what damage could be done if your suppliers are compromised. Is there any way to reduce the impact? Consider running business continuity exercises to test your business’ response.

· Have a monitoring system in place such as shutting down the anti-malware. Do you know how to check if yours is running?


The ECRC offers a variety of options for businesses that supports them in their own cyber resilience journey. below is a list of some of these services which might be of interest to you.


A choice of membership starting with its core membership option

Cyber Essentials through the ECRC’s Trusted Partners

Cyber business continuity exercises

Security policy review

Supply chain security guidance - NCSC.GOV.UK

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.