Jon Fielding, Managing Director, EMEA at Apricorn, explores the role of endpoint security in protecting the business from supply chain attacks.

Cyber attacks involving the supply chain are on the increase, with Gartner warning that 45% of global organisations will have experienced an attack by 2025. This is partly due to software issues that see attackers take advantage of exploits to compromise digital supply chains. In fact, a recent report found 91% of organizations were subjected to a software supply chain attack in 2023.  

Supplier ecosystems are becoming ever more complex, with suppliers of suppliers that run several chains deep, and dependencies are increasing as we saw in the MOVEit attack which is estimated to have compromised over 2,000 organisations and more than 94 million users. However, while these software attacks might grab the headlines, they can draw attention away from other threats to the supply chain.  

More complexity, greater risk

Organisations need to connect to their suppliers often using untrusted or unmanaged endpoints in order to share information but this then increases risk to their internal systems and data. To help mitigate this risk, organisations are advised to conduct third party risk assessments but few do so. The Cyber Security Breaches Survey 2023 found only 13% vet their immediate suppliers and only 8% the extended supply chain, primarily due to lack of resource, or because they were unable to get enough information from suppliers or not knowing what checks to perform.  

Without any checks or balances in place, the organisation can’t verify if the supplier matches their security requirements, which not only increases their level of exposure but potentially places them in breach of any compliance regulations they may need to meet, including but not limited to GDPR. Article 5 stipulates that personally identifiable information (PII) must be identified and controls applied. So, even if the organisation is unable to obtain all the information requested from the supplier to verify their security, it’s in their interests to take the initiative.

To do this, regular audits of all data that is shared with suppliers should be conducted to identify and protect the information being shared. This should document the data being shared, how and where it is stored and processed by the supplier, who has access to it, how it is secured at each stage of the process, and whether it is then passed to other suppliers further downstream. 

Breach causes 

Data breaches can result from a multitude of factors. There may be a lack of awareness over the value and sensitivity of data being shared with third parties, a lack of sufficient access and authentication procedures, or it could just come down to human error but irrespective of the cause, a third-party breach can prove highly damaging. For example, last year the Metropolitan Police saw a breach of PII relating to officers when hacker breached the IT systems of a contractor responsible for printing warrant cards and work passes putting over 47,000 staff at risk.  

In fact, a quarter (21%) of all IT decision makers polled in a recent Apricorn survey reported third parties mishandling corporate information. Other issues included employees unintentionally putting data at risk (22%) and lost or misplaced devices containing sensitive corporate information (18%).  Almost half (48%) said their organisation’s mobile/remote workers were knowingly put corporate data at risk of a breach.  

Effective endpoint security 

These issues reveal how high instances of human error are, making it imperative that the organisation takes step to address such weaknesses.  Staff awareness training can help to mitigate the risk and this should be extended to include partners and contractors that work closely with or in the business. These programmes should seek to educate users on the value of specific data, the risks and threats, how it should be protected and their personal responsibilities as well as the broader data protection and security policies, such as acceptable use that details how data can be accessed over mobile devices and how those devices should be protected.  

Should you rely on encryption?

Encryption is a key means of protecting sensitive data as it ensures the data remains unintelligible even if it is compromised, with a hardware-based form of encryption proving more robust than a software-based solution downloaded on to the device. This is because such software can be susceptible to counter resets, software hacking, screen capture and keylogging. Moreover, if the device is held in a hardware crypto module, the encryption keys are protected from brute-force attacks and unauthorised access. Ideally, the organisation should compel employees to use FIPS certified, hardware-encrypted mobile devices across the organisation. 

GDPR also expressly recommends encryption under Article 32 to protect PII and those that do encrypt data stand to benefit as the regulations state that organisations that have implemented encryption may be exempt from having to contact each individual in the event of a breach, reducing their obligations and any associated administrative costs.   

Encryption security is falling out of use

However, encryption is falling out of practice. The survey revealed that only 12% of organisations currently encrypt data on all laptops, compared with 68% in 2022, while 17% encrypt data on all desktop computers, down from 65% last year. It’s a similar story for mobile phones – with 13% encrypting on all, versus 55% in 2022; USB sticks – with 17% encrypting today, down from 54%; and portable hard drives – a drop to just 4% from 57%.  What’s more 17% of those questioned said a lack of encryption was directly responsible for a data breach within their business over the past year.  

Keeping policies and procedures up to date and relevant is also vital and these can keep partners and suppliers in the loop. They should also form the basis of supplier contracts, with penalties for non-compliance. And these should also be enforced through controls, for example, by ensuring there is an auto-lock/self-destruct function on lost or stolen devices.

By implementing the necessary policies and processes at an early stage, the organisation is more likely to be able to respond appropriately and efficiently if, and when, a breach should occur.  

Related Stories

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.