Cyber attacks will get worse without serious regulation, experts say
Cyber experts have said that changes must be made to reverse three years of damage to companies’ supply chain security after a spate of attacks on UK retailers.
Their warnings follow yet another cyber attack at a UK firm, this time Peter Green Chilled – supplier to Tesco, Sainsbury’s and Aldi.
“It is not a matter of if, but when these institutions are attacked,” Spencer Starkey, VP EMEA of cybersecurity firm Sonicwall, said.
“Supply chain cracks have been exposed by changing work environments and the consequences of macroeconomic disruptions,” Starkey added.
The ransomware attack at Peter Green, which happened last week but was revealed by the BBC today, halted orders as of last Thursday and is likely to result in thousands of products going to waste.
A ransomware attack occurs when a hacker steals and encrypts a victim’s data, then logs them out of computer systems and charges a fee to let them in again.
It is particularly common at third-party suppliers to major firms, which often have lower levels of security and can serve as back-door access to unleash widespread disruption.
Retailers are particularly vulnerable to attack not just because of the amount of payments data they hold, but because of the need to provide daily, direct services to customers, according to chief security officer at Thingsrecon, Tim Grieveson.
“When hackers target logistics systems or warehouse operations, even a short delay can be catastrophic, especially for perishable goods such as fresh produce or pharmaceuticals.
“A ransomware attack that halts refrigeration or reroutes deliveries can result in tons of spoiled inventory, lost revenue, and empty shelves,” Grieveson said.
$50 ransomware kits
Starkey said that widespread and collaborative change is the only solution to three years of heavy attacking by hackers.
“The security perimeter has disappeared due to remote and flexible working. There is no longer a corporate firewall protecting every device so cyber criminals have multiple entry points to slip in undetected,” Starkey said.
He said regulation or industry standards should be put in place to protect consumers and relevant stakeholders from “experiencing material damage and ensuring transparency from company officers”, adding that without this ransomware criminals have no reason to stop due to the relative simplicity of the crime.
A ransomware kit costs as little as $50 (£37) on the dark web.
“Companies should start with the presumption that they will be targeted and have a comprehensive incident response plan in place, including a consumer notification process,” he added.
Sian John, CTO at NCC Group, said investment in a “robust cyber security strategy” is a must.
“[Firms need] not only enhanced monitoring and response capabilities, but also higher standards of supplier assurance, regular audits, and ongoing training for both staff and partners,” John said.
“Cyber security is a shared responsibility. Collaboration across the public and private sectors is essential. Government bodies, regulators and industry groups must work together to share intelligence, offer guidance, and promote best practices that protect the integrity of our national infrastructure.”