If you are a business owner and you have been paying attention, you may be justifiably concerned about the recent slew of high-profile ransomware attacks – many involving supply chain attacks that affect hundreds of businesses large and small.
What is a supply chain attack, and how can you defend your company against data breaches and ransomware attacks?
In this article, we will provide some guidance including resources to:
What is a Supply Chain Attack?
Supply chain attacks are nothing new – it’s the modern-day cyber equivalent of Virgil’s Aeneid and Homer’s Odyssey.
A “Trojan horse” – malicious code that is designed to steal data, provide a backdoor for hackers, or even shut down your systems - can be brought into your network in many ways. Most people understand these days that malicious code can come in through email links or downloads, and many companies are taking measures to protect against this well-known vulnerability.
But how well protected are your vendors’ systems, or your vendors’ vendors’ systems?
Supply chain attacks are when hackers place malicious code – or even physical components – into software and hardware that is used by hundreds or even thousands of companies including software development tools, computer manufacturers, website development tools, third-party data storage services, or any type of vendor that provides software or hardware to a broad range of businesses.
Supply chain attacks can be more than just malicious code, however – it is any type of attack that results from your company’s use of a third party. For example, many companies have suffered supply chain attacks when threat actors working for third party vendors have gained access to the company’s network and data.
You may have cybersecurity policies in place that provide a reasonable level of protection for your business, but are you also ensuring that your vendors’ products are free from infection? If you are connecting third party software or hardware or allowing third party access to your network and data, you can become a victim of a supply chain attack despite your best efforts to secure your own business’s systems.
FTC – Start with Security
Supply chain attacks are just one method hackers can use to obtain your company’s and your customers’ personal data or to conduct a ransomware attack on your company. If your business has the resources (and wants to protect those resources), it may be necessary to:
Protect Personal Information of Customers and Employees
Another cybersecurity resource for businesses provided by the FTC is Protecting Personal Information: A Guide for Business, which provides guidance for protecting sensitive personal information like customers’ identities, social security numbers, or account numbers, including:
SBA Cybersecurity Guidance
The Small Business Administration also has resources to help small businesses prevent and respond to cyberattacks, including this guide that discusses:
Prevent Supply Chain Attacks
Who oversees supply chain security at your company?
Someone should – every company that uses cell phones, tablets, computers, online banking, data storage, or any type of information and communications technology (ICT) is connected to a global supply chain.
A chain is only as strong as its weakest link, and, as recent events have shown, hackers are now quick to exploit vulnerabilities in a company’s supply chain allowing them to attack multiple businesses at the same time.
Your company’s personnel who oversee supply chain security could be IT personnel, information security officers, risk management personnel, or just the employee who manages your vendors and supplies.
Prevent FTC Enforcement Actions
Is your company a victim of hackers, or are your customers a victim of your company’s negligence?
That’s the question the Federal Trade Commission may be asking after your company experiences a cybersecurity incident like a data breach or ransomware attack, and that’s why your company needs to proactively protect itself and its customers from hackers and be prepared to respond quickly to any cybersecurity incidents.
Federal Laws Related to Cybersecurity
Any type of business should be prepared for supply chain attacks, data breaches, and ransomware attacks, but some types of businesses are subject to additional types of data security and privacy regulations.
Cybersecurity Policies, Supply Chain Contracts, and Incident Response
A comprehensive plan to protect your business against ransomware attacks, data breaches, and other cybersecurity incidents including supply chain attacks may include consultation with your business’s attorneys who can:
Please feel free to contact one of our Murray Lobb attorneys to obtain our legal advice regarding industry-specific cybersecurity laws and regulations, vendor contracts, and cybersecurity incident response. We also remain available to help you with all your general business, corporate, and estate planning needs.