Small business
cyber security:
Protecting against
supply chain attacks
and supplier risk

Author: Phil Muncaster

When the U.S. government announced in January that an advanced threat group had compromised nine agencies, it was a wake-up call for many organizations. Here was an attack that worked in part by hiding malware inside software provided by a legitimate federal IT supplier, SolarWinds. Although sophisticated campaigns like this are rare, supply chain attacks are on the rise.

Small business cyber security leaders must respond in kind. But with few resources or in-house expertise, the best cyber security strategies for small to medium-sized businesses (SMBs) involve outsourcing threat detection and response to a trusted third party.

Why do third parties pose a risk to SMBs?

As an SMB owner, you may be thinking that supply chain attacks are the preserve of larger, more lucrative targets. That's not necessarily the case. By targeting a single supplier, attackers can compromise scores or even hundreds of corporate clients, many of whom may be SMBs. For financially motivated criminals, this kind of return on investment is exactly what they're after.

A report from the Identity Theft Resource Center (ITRC) earlier this year revealed that 668 entities were hit by supply chain attacks focused on data theft, affecting over 27 million individuals. The number of such attacks increased by 42% in the first quarter of 2021 compared to the final three months of 2020, the ITRC reported more recently.

Supply chains are what modern businesses are built on. Whether you're a hair salon, a construction company or a small accounting firm, your business will have a large and increasingly complex network of partners and suppliers, delivering physical and digital goods and services. With this greater complexity, it has become increasingly difficult to gain full visibility and control over these suppliers, and, more importantly, how cyber secure they are. In fact, recent research revealed that over a third of businesses don't even know how many external suppliers they use.

The bottom line is that if any one of these companies is compromised, it could have a knock-on impact across the entire supply chain, potentially resulting in a serious small business cyber security breach. Developing effective cyber security strategies for small to medium-sized businesses means first understanding what you're up against.

Different types of supply chain attacks

A supply chain attack could undermine small business cyber security in several ways. These include:

  • Malware hidden in legitimate software: This could be a sophisticated attack, such as the SolarWinds campaign mentioned earlier. Or it could be something far simpler: a developer accidentally downloading open-source code containing malware. This is increasingly common. One 2020 study found that 24% of developers reported a breach over the previous 12 months, and a fifth (21%) of them linked this to the use of third-party components.
  • Malware hidden in websites: Another popular supply chain attack is to infect your digital suppliers with malware designed to steal customer card data. Thus, when you load their code onto your website, it comes complete with a nasty hidden surprise. One advertising agency was compromised in this way, affecting hundreds of its customers.
  • Third-party passwords: Employees at your suppliers, partners and contractors could also be a cyber risk if they have access to your IT systems. In the infamous 2013 breach at Target, attackers first fired phishing emails at the retailer's heating and air conditioning partner. The result: They got hold of logins for the Target network, compromising 110 million customers' data.

What's the impact of small business cyber security breaches?

Most supply chain attackers are looking to make money off the back of your company. They can do this in various ways. It could be by stealing data and/or deploying ransomware and then forcing you to pay a fee to regain access to that data. They could aim to steal customer and employee card details. They could even download malware to mine illegally for cryptocurrency, using your IT resources to run up huge power bills.

These attacks could cause significant financial and reputational damage to your business, including:

  • Cost of IT overtime to clean up and remediate an incident
  • Cost of hired experts to investigate the incident
  • Potential lawsuits, if employee and customer data is exposed in a breach
  • Regulatory fines (California Consumer Privacy Act, General Data Protection Regulation, etc.)
  • Customer churn following brand damage
  • Lost productivity for staff
  • Downtime and lost sales

Cyber security strategies for small to medium-sized businesses

Today's threat actors have a multitrillion-dollar cyber crime underground at their disposal. That means even the best small business cyber security can't stop 100% of attacks. The best cyber security strategies for small to medium-sized businesses focus on detecting attackers as soon as possible after they've breached your network and kicking them out before they've had a chance to cause any damage.

Yet as a small business owner, you don't have the time or resources to adequately enforce threat detection and response. This is when managed services come into their own to support small business cyber security.

Look for a next gen managed security information and event management (SIEM) platform, which takes data from your IT environment, adds it to third-party threat intelligence from multiple sources and analyzes these signals to flag when there's a serious incident to investigate. If you tried to run this kind of SIEM in-house, your IT team would be overwhelmed with alerts. The power of a managed service is that you let the experts take care of fine-tuning the SIEM technology and filtering out the noise to only alert you when there's something worth looking at. Ultimately, it means faster, more accurate threat detection and response.

By outsourcing this function to a third party, you can:

  • Benefit from economies of scale and the expertise of the provider—helping you to attain enterprise-grade security without paying enterprise prices
  • Deploy easily through the cloud
  • Protect your business from potentially serious financial and reputational damage
  • Preserve your existing resources to focus on growing the business

Learn more about small business cyber security and how Verizon can support cyber security strategies for small to medium-sized businesses with managed SIEM.