Supply chain cyber risk among growing global threats

The issues flagged by the Information Commissioner’s Office (ICO) – including the risk of cyber attacks on supply chains; the evolution of the ‘phishing’ threat; and the growth of ransomware – chime with the experience of Pinsent Masons’ cyber risk team in advising organisations around the world on how to prevent, manage, and respond to cyber incidents.

The ICO’s report also comes at a time when organisations across sectors and geographies are having to be responsive to a changing legal landscape on cybersecurity, as well as increasingly sophisticated technology – including AI.

Supply chain risk

The ICO has highlighted how cyber criminals are increasingly seeking to gain access to major organisations’ systems and data by infiltrating the products, services, or technology that those organisations are provided by third parties. It cited an Argon Security study that found how supply chain attacks surged by more than 300% post-Covid, and a 2022 Marsh report that found that fewer than half of organisations had conducted risk assessments of their supply chain.

The risk is particularly relevant to commercial and public sector organisations that outsource data processing, including to cloud service providers. The ICO emphasises the importance of effective due diligence and of appropriate – and enforceable – contractual provisions to assess and mitigate the risk of supply chain attacks. However, in our experience the scale of some cloud providers gives them strong bargaining powers that can constrain customers’ due diligence and limit their scope to obtain favourable contractual rights and remedies.

Consequently, organisations must prioritise their own internal security procedures, both technical and organisational, rather than relying solely on vendor assurances. This includes implementing measures such as privileged account monitoring, database activity logging, server hardening, and data encryption. These all features of a wider robust supply chain risk management strategy.

Supply chain risk is also something that organisations with expanding digital estates need to consider – the more digital suppliers, the more potential attack entry points. Vendors with poor security controls can leave themselves, and the wider supply chain, open to attack.

The growing risk of supply chain attacks is reflected in the case work of Pinsent Masons’ cyber risk team. As we highlighted in our most recent cyber annual report, the most common root cause of cyber incidents we advised on in 2023 was a supply chain breach – they arose in 33% of the cases we were engaged on, up from just 5% in 2022.

Phishing

The ICO cited data that suggests phishing attacks are on the rise, including findings from the UK government’s cybersecurity breaches survey 2023 that found that 79% of businesses had reported experiencing a phishing attack in the past 12 months – up from 72% in 2017.

Phishing attacks are where cyber criminals try to dupe people into certain actions, such as clicking on malicious software or revealing personal information about themselves or others. Dan Caplin of cybersecurity consultancy and corporate intelligence business S-RM recently told us how AI is helping cyber criminals to make phishing attacks harder to spot.

The ICO urged organisations to use “technological mechanisms (such as filtering, firewalls and blocklists) in conjunction with human-centric approaches (such as cybersecurity awareness training around phishing)” to defend against phishing attacks. These are recommendations Pinsent Masons endorses.

In 2023, phishing, vulnerability and configuration issues together amounted to 35% of our case work. The data highlights how phishing attacks remain a persistent and ever-evolving threat, as they continue to increase year-on-year. Phishing campaigns have become increasingly sophisticated, making it challenging for organisations to effectively protect against them.

Addressing phishing requires a combination of technical controls and robust user awareness training. Pinsent Masons has developed a solution called the Human Cyber Index to help organisations understand security culture and plan for raising awareness.

Ransomware

Ransomware attacks involve hackers installing malicious software which typically seeks to encrypt systems, preventing the organisation from carrying out everyday operations or accessing data or other assets. It is often coupled with the hacker stealing data from the organisation’s environment and threatening to publish that data on the dark web. Organisations are then prompted to make a payment to the hackers in return for the hackers decrypting and restoring their systems or preventing publication of their data. 

The number of ransomware attacks continues to grow globally. In 2023, ransomware attacks accounted for 58% of all of Pinsent Masons’ cyber risk team’s case work, up from 35% in 2022. That growth in ransomware activity is in line with what the ICO and other authorities globally are seeing.

The ICO has described ransomware as “a persistent and significant online threat to the UK economy and people”. It said organisations that fall victim to ransomware attacks “should assume the information has been exfiltrated”.

To reduce the risk of ransomware attacks, the ICO advised several actions. They include that organisations should: follow good cyber hygiene, such as by adopting the UK National Cyber Security Centre’s (NCSC’s) ’10 steps to cybersecurity guidance; use multi-factor authentication to protect user credentials; have appropriate, secure, and tested back-ups; operate a monitoring system to detect issues early; and test response and recovery plans.

The ICO’s latest advice supplements broader guidance it issued in 2022 in relation to ransomware and data protection compliance.

Sectors at risk

All organisations have to be alert to the evolving cyber threat, but data suggests some sectors are being targeted by cyber criminals more heavily than others – but that the position is different across geographies.

For example, while financial services firms are among the most commonly targeted businesses in the UK – a third of Pinsent Masons’ cyber case work in 2023 involved businesses active in the financial services sector – our colleagues in France highlighted how healthcare organisations are facing a dramatic increase in malware and ransomware attacks, owing to the sheer volume and value of personal information they hold and the fact they often operate outdated security infrastructure.

In the Netherlands, businesses active in the IT sector are a favourite target of cyber criminals, according to information published by the Dutch data protection authority, while colleagues in South Africa said recent cyber attacks against the Companies and Intellectual Properties Commission and the Independent Electoral Commission show how public bodies are being targeted by cyber criminals.

In Australia, there has recently been a focus on the cybersecurity practices of professional services firms after law firm HWL Ebsworth fell victim to a ransomware attack. The Victorian legal sector regulator has released guidance for law firms on protecting client data and complying with legal and ethical obligations by meeting minimum cybersecurity expectations for critical, system and behaviour controls. A failure to meet these expectations could amount to conduct capable of constituting professional misconduct.

Critical infrastructure the focus of some new law

In the EU, the deadline for the implementation of the second Network and Information Security Directive (NIS2), 17 October 2024, is looming for many organisations.

The NIS2 regime builds on the original NIS directive which took effect in the EU in 2018 and focuses on cybersecurity protections for so-called critical infrastructure. NIS2 is broader in its scope than the original directive, meaning more organisations across both the public and private sectors will be subject to cybersecurity risk management and incident reporting obligations than before.

For example, pharmaceutical companies and operators of hydrogen production, storage and transmission are among the organisations that will be subject to the strictest requirements under the tiered system of regulation NIS2 provides for. Some businesses that have only been subject to the lighter touch framework under the original NIS directive will also now find themselves subject to the stricter rules – such as cloud computing providers. The lighter touch regime will also now apply to a broader range of businesses – including manufacturers of computers and vehicles, businesses engaged in food production and processing, chemicals companies, and waste management providers.

Companies will have to put in place the necessary tools for managing cybersecurity risks and reporting incidents. The new rules will drive a shift towards advanced correlation and context analysis capabilities, improved cybersecurity preparedness, and place intelligence at the center of every security decision. Fines of up to €10m, or 2% of an organisations’ annual global turnover, whichever is highest, could be imposed on entities subject to the strictest requirements.

Similar changes to UK NIS rules are also in the pipeline, while the cybersecurity of critical infrastructure is also the focus of legislation in Australia.

Broad cybersecurity requirements are also arising from other new laws, such as in Malaysia where new cybersecurity laws were approved recently. In the Middle East, cybersecurity requirements are increasingly being focused on specific industries, such as financial services and healthcare. The introduction of new, and reform of existing, data protection legislation across the region is also giving a renewed focus to data security.

AI and its impact

The move by EU policymakers to introduce the world’s first AI rulebook could also have cybersecurity implications. The new EU AI Act, which is in the final stages of being adopted, is designed to provide certainty in respect of regulatory requirements and therefore encourage responsible use of AI by organisations.

While AI has the potential to help organisations to innovate and achieve efficiencies, it also has the potential to transform the criminal landscape by enabling hackers to identify and exploit previously unknown vulnerabilities.

Thanks to its ability to analyze large quantities of data and learn from patterns, AI can rapidly identify weaknesses in IT systems, networks and even human behavior. Many sectors and critical infrastructures are thus exposed to the risk of cyber attacks, since – as we have explored before – criminal organisations can use this AI capability to launch sophisticated, targeted attacks.

AI-based tools can also be used to identify potentially vulnerable individuals or organizations. Through social media and other online platforms, AI can gather a wealth of information about potential victims, including their financial situation, interests and behavioural patterns. This information can be used by criminal organizations to design highly personalised and convincing scams or targeted phishing attacks enabling them to more easily deceive their victims. As AI advances and becomes more accessible, the ability of criminal organisations to exploit it for their nefarious activities will only increase.

The changing technological environment underscores the need for organisations to remain vigilant against persistent and evolving cyber threats. Addressing these risks requires a multifaceted approach, involving technical controls, user awareness training, robust vendor management practices, and a strong emphasis on internal security procedures.