When we think about cybersecurity, it is common to think about the protection of personal and corporate data against attacks. However, it is also important to prioritize the security of the Supply Chain, especially with the increasingly strong presence of the digitalization of operations. 

Globally, the technology priorities of Supply Chain leaders are oriented towards data analysis, IoT and Cloud platforms, but only 31% focus on information security ( According to APQC ).   (De acuerdo con APQC).  

What is a Supply Chain attack?  

The supply chain includes the processes, people, organizations and distributors involved in creating and delivering a product or service. Being an ecosystem that encompasses a wide range of resources, stored information, distribution channels and process management software, it can be a target for computer attacks.  

As a general rule, these attacks are carried out in two phases. First they seek to breach a supplier , which is then used to attack the main target (customer) and access their assets.  

Some of the most used techniques for this purpose are: 

•  Malware:  Spyware can be used to steal employee credentials and information. 62% of attacks are made through this technique. 
• Social engineering: this modality includes phishing, fake applications, identity theft to convince the provider to provide some information. 

• Exploit: This attack consists of searching for and exploiting the provider’s vulnerabilities in code, SQL, or configuration problems. According to the European Union Agency for Cybersecurity (ENISA), in 66% of the incidents reported during 2021, attackers focused on the suppliers’ code to alter it.  
• Open-Source Intelligence (OSINT): consists of online searching for credentials, API Keys or usernames.

According to ENISA, 58% of supply chain incidents targeted customer data, including personal data and intellectual property. 

How to strengthen cybersecurity in the Supply Chain? 

1. Train employees and create a regular cybersecurity training plan. 

2. Identify and document suppliers, defining the risk criteria for each one.  

3. Conduct periodic audits of  suppliers o ensure they comply with information security and data protection policies. In 66% of Supply Chain attacks, suppliers did not know or did not report how they were compromised. 

4. Classify assets and information that can be shared or accessible to suppliers, also defining the procedures to access them. 

5. Implement cybersecurity policies   that seek to prevent attacks. For this, it is important to know which measures are already implemented and which are missing.  

6. Prioritize suppliers with defined information security policies.