Exercise in a Box: Digital Supply Chain Scenario - Cyber and Fraud Centre

What is it?

A digital supply chain attack is a cyber attack that seeks to damage an organisation by targeting less-secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry or government sector, making it crucial to prepare for it.

The online nature of modern businesses means that digital supply chains are becoming more complex, making it increasingly difficult for companies in the chain to ensure they are protected. This is because they cannot know what cyber processes and procedures others might have. This scenario looks at what you can do to mitigate these risks.

The exercise is split into four injects, each containing multiple discussion points. This allows organisations to review and refine their contingency plans if a cyber attack occurs within their supply chain.

The aims of this exercise are as follows:

To investigate how your procurement process assures the security of suppliers.
To determine what visibility you have of your data when a third party stores it.
To think about what risks customer data is exposed to.
To understand the complexities of your supply chain. Build an understanding of how supply chains can impact your security.
To operate in a no-fault environment to check and test cyber security defences and capabilities.

Why do it?

Most organisations rely on suppliers to deliver products, systems, and services. You probably have several suppliers yourself; it is how we do business. But supply chains can be large and complex, involving many suppliers doing many different things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent or introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption to an organisation and its customers.

It is important for organisations to conduct cyber exercising to enable them to prepare for a potential cyber attack within their business and mitigate that threat as much as possible.

Following the recent Colonial Pipeline attack that took down a major gas pipeline in America, a new attack surfaced that hit the American company, Kaseya. Hundreds of companies from all areas of business were directly hit by the supply chain attack, making it one of the biggest and most far-reaching ransomware attacks in history. You can read our blog on this attack here: Threat intelligence: Kaseya.

Some of the benefits and key takeaways of cyber exercising include:

Understanding actual versus perceived capabilities of people and technology.
Deciding where to invest budgets in training or new technology.
Building muscle memory and reducing stress for security teams and management.
Improving morale and team building.
Meeting regulatory requirements.

Who is it for?

Exercise in a Box is aimed at any organisation, large or small, aiming to increase its cyber knowledge and perception. The digital supply chain affects every organisation in some shape or form. Understanding how disruption impacts your organisation is critical in times of distress. Your supply chain may not be massive, but an attack on it may have massive implications for your company and customers. It is advised that organisations bring a diverse team and not just the IT department. This will ensure that more of the company is trained and not just a small part of it.

You can sign your organisation up for an Exercise in a Box workshop here.

07.07.21

General