When the secure file transfer tool MOVEit was hit by a cyber attack earlier this year, the impact was felt far and wide. In the UK, British Airways, Boots, the BBC, Aer Lingus and Shell have all revealed they’ve been affected. Experts estimate as many as 200 organisations around the world and 17.5 million people may have been caught up in the data breach.
Supply chains are a tempting target for criminals looking to exploit vulnerabilities of multiple businesses at the same time. By their very nature, supply chains are often long and unwieldy, stretching across geographies, with little visibility into potential threats. When a data breach does occur, it can be challenging to find the source, which slows the response time and maximises the impact a criminal can have. Only 47% of organisations say they share knowledge about ransomware attacks with suppliers.
As with MOVEit, the domino effect can be significant. A data breach along your supply chain can disrupt vital operations, damage the relationship and trust between a business and its customers, and lead to substantial costs to put the problem right. The consequences – and fines – can be as severe as if the data breach was your own.
It’s also a risk that’s increasing, driven by the shift to a remote workforce, expansion of digital supply chains, and adoption of complex technology architecture. Research by the security company Sophos in 2020 found nearly one in 10 ransomware victims said the attack started with a trusted third-party supplier. One year later, Sonatype’s State of the Software Supply Chain report found there had been a 650% increase in supply chain attacks.
And while many businesses are getting on top of their own privacy compliance, there’s still a lack of awareness of their data protection obligations within supply chains.
Some are unsure about what they should be asking suppliers to do. Others struggle with a lack of visibility or do not have the right tools and other resources to properly evaluate the risk posed by their supply chain.