NCSC: UK Firms Face Rising Supply Chain Cyber-Threat

Written by

UK organizations are facing an unprecedented threat from cyberspace, according to the National Cyber Security Centre (NCSC).

The GCHQ body warned in a new report produced with the National Crime Agency (NCA) that UK businesses faced more attacks than ever before in 2017, with ransomware, supply chain attacks, data breaches and fake news all making a significant impact.

Between October 2016 when the NCSC was opened and the end of 2017, it recorded 34 “significant” cyber-attacks like WannaCry which required a cross-government response, and 762 less serious incidents.

The supply chain was highlighted as a particular area of risk – even for organizations with mature cybersecurity strategies.

“Supply chain compromises of managed service providers and legitimate software (such as MeDoc and CCleaner) provided cyber-adversaries with a potential stepping stone into the networks of thousands of clients, capitalizing on the gateways provided by privileged accesses and client/supplier relationships,” the report noted.

“It is clear that even if an organization has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”

Supply chain attacks are extremely difficult to detect, even with the right network monitoring tools, as it can be hard to tell whether a discovered flaw has been introduced accidentally by the manufacturer or deliberately by attackers.

The NCSC recommended organizations follow the “least privilege” principle when granted third-parties remote access, and work Cyber Essentials certified organizations, or those that can demonstrate they follow the NCSC’s 10 Steps to Cybersecurity guidance.

Webroot director of threat research, David Kennerley, said the report's findings were no surprise.

“Organizations need to utilize a multi-layered approach with real-time threat intelligence to detect all types of emerging threats and stop attacks before they strike, while not forgetting the essential role of employee education within any organization,” he added.

“Employees are often seen as the weakest link with regards to security. It’s time to buck this trend, and instead utilize them as the first line of defense.”

Matt Walmsley, EMEA director at Vectra, added that firms need to adopt an “I’m already compromised” mentality.

“We need to… put in place security capabilities that not only block known threats but that are smart enough to detect and respond in real-time to active threats that have defeated or bypassed defensive controls and gained access and persistence within the organization,” he continued.

“Finally, we need the executive leadership and governance bodies of organizations to step up and recognize that security is a strategic organizational issue, not one simply of technology.”

The report comes just days after an NCSC warning that Russian state hackers are again targeting CNI supply chain organizations in the engineering and industrial control spheres.

What’s hot on Infosecurity Magazine?