22 Mar 2023

Companies vulnerable to cyber-attack via suppliers - research

10:41 am on 22 March 2023
Woman working with global networks and data protection

Of the 55 percent of businesses hit by a cyber attack last year, almost a quarter had commercially sensitive data or intellectual property accessed or stolen, the survey of more than 200 firms found. Photo: 123RF

Businesses are being told to check their suppliers' cyber security measures as a growing number of third-party cyber-attacks take advantage of weak spots.

Research by marketing intelligence agency Perceptive for the state-owned telecommunications company Kordia showed more than half of the 213 businesses surveyed suffered a cyber-attack or incident in the past year.

The risks of a third-party attack, or a supply chain attack - when a business' system was infiltrated via an outside partner or provider with access to the business' system or data - were being acutely felt.

"Twenty eight percent of business impacted by a cyber-attack in the past 12 months cited that the attack came through a third party, second only to phishing," the report said.

"This illustrates the difficulty organisations face managing security risk from partners who have access to their systems and data."

Kordia's regional cyber security business manager Peter Bailey said businesses should undertake an audit of the suppliers they work with to ensure their cyber-security measures were airtight.

"We see examples of, say a business using a third party supplier and you're paying them an invoice on a regular basis, the attackers gain access to their company's email accounts, because they're not securing the email accounts very well.

"They might just sit in there and watch the correspondence between you, as the company, and them as your supplier, and then they might jump in and gain access to an invoice that you're sending and they might change it to a different bank account.

"Suddenly, you're getting an invoice to pay, but it's going to the attacker's bank account or not your supplier."

Bailey said cyber-attacks could range from online accounts and information being compromised to online fraud.

"Businesses simply can't afford to operate with a blind spot around their supply chain partners - they need absolute clarity around what third parties have access to, and the layers of security that exist around that access," he said.

Of the 55 percent of businesses hit by a cyber attack last year, almost a quarter had commercially sensitive data or intellectual property accessed or stolen and some lost business because of reputational damage from the attack.

Despite this, five out of six businesses surveyed, or 85 percent, were confident in their cyber security safeguards.

"Confidence is particularly high among those who have experienced a threat or attack in the past, which could indicate that resilience is being taken seriously," Bailey said.

Bailey said more than 90 percent of directors and owners had high levels of confidence in the business' cyber security, but this dropped down to 70 percent among general managers.

Of concern, however, was the news that almost half of respondents relaxed their cyber security to boost productivity in the past 12 months, he said.

"Another major concern is nearly one in five large businesses don't have a cyber security awareness or training programme for employees," Bailey said.

"Given the continuously high volumes of phishing attacks, it's no surprise that this remains a high risk for organisations with employees at risk of clicking on malicious links that grant access to threat actors."