If you are a business owner and you have been paying attention, you may be justifiably concerned about the recent slew of high-profile ransomware attacks – many involving supply chain attacks that affect hundreds of businesses large and small.
What is a supply chain attack, and how can you defend your company against data breaches and ransomware attacks?
In this article, we will provide some guidance including resources to:
- Help prepare your company for possible supply chain attacks, data breaches, and ransomware attacks,
- Protect the personal information of your customers and employees,
- Stay in compliance with cybersecurity-related federal regulations that may apply to your business, and
- Avoid potential FTC enforcement actions if your company experiences a cybersecurity incident.
What is a Supply Chain Attack?
Supply chain attacks are nothing new – it’s the modern-day cyber equivalent of Virgil’s Aeneid and Homer’s Odyssey.
A “Trojan horse” – malicious code that is designed to steal data, provide a backdoor for hackers, or even shut down your systems – can be brought into your network in many ways. Most people understand these days that malicious code can come in through email links or downloads, and many companies are taking measures to protect against this well-known vulnerability.
But how well protected are your vendors’ systems, or your vendors’ vendors’ systems?
Supply chain attacks are when hackers place malicious code – or even physical components – into software and hardware that is used by hundreds or even thousands of companies including software development tools, computer manufacturers, website development tools, third-party data storage services, or any type of vendor that provides software or hardware to a broad range of businesses.
Supply chain attacks can be more than just malicious code, however – it is any type of attack that results from your company’s use of a third party. For example, many companies have suffered supply chain attacks when threat actors working for third party vendors have gained access to the company’s network and data.
You may have cybersecurity policies in place that provide a reasonable level of protection for your business, but are you also ensuring that your vendors’ products are free from infection? If you are connecting third party software or hardware or allowing third party access to your network and data, you can become a victim of a supply chain attack despite your best efforts to secure your own business’s systems.
FTC – Start with Security
Supply chain attacks are just one method hackers can use to obtain your company’s and your customers’ personal data or to conduct a ransomware attack on your company. If your business has the resources (and wants to protect those resources), it may be necessary to:
- Retain cybersecurity consultants to help secure your company’s systems and assess your company’s risk,
- Designate employees or corporate officers who will oversee drafting and enforcing cybersecurity policies, and
- Consult with your business’s attorneys to ensure that you are following federal regulations specific to your industry, have appropriate cybersecurity policies in place, and are protected from third-party threats with appropriate contract provisions with your vendors.
The Federal Trade Commission (FTC) has several guides for businesses to help prevent cybersecurity incidents – for example, Start with Security: A Guide for Business details some cybersecurity essentials for business like:
- Controlling access to your company’s data,
- Requiring secure passwords and authentication,
- How to store personal information securely,
- How to transmit personal information securely,
- Segmenting your network and monitoring who access it,
- Securing remote access to your network,
- Securing physical resources like paper and devices, and
- Ensuring that your service providers and vendors also have reasonable security measures in place.
Protect Personal Information of Customers and Employees
Another cybersecurity resource for businesses provided by the FTC is Protecting Personal Information: A Guide for Business, which provides guidance for protecting sensitive personal information like customers’ identities, social security numbers, or account numbers, including:
- Knowing what personal data your business has in its files and on its computers,
- Determining the data you need to keep for your business and getting rid of the rest,
- How to protect the personal information that you keep,
- How to properly dispose of the personal information that you don’t keep, and
- How to plan for incident response.
SBA Cybersecurity Guidance
The Small Business Administration also has resources to help small businesses prevent and respond to cyberattacks, including this guide that discusses:
- The most common cyber threats to small businesses – malware, viruses, ransomware, and phishing attacks,
- How to assess your business’s risk using planning and assessment tools including the Supply Chain Risk Management Toolkit, and
- Cybersecurity best practices – like employee training, network security, strong passwords, multifactor authentication, and protection of sensitive data.
Prevent Supply Chain Attacks
Who oversees supply chain security at your company?
Someone should – every company that uses cell phones, tablets, computers, online banking, data storage, or any type of information and communications technology (ICT) is connected to a global supply chain.
A chain is only as strong as its weakest link, and, as recent events have shown, hackers are now quick to exploit vulnerabilities in a company’s supply chain allowing them to attack multiple businesses at the same time.
Your company’s personnel who oversee supply chain security could be IT personnel, information security officers, risk management personnel, or just the employee who manages your vendors and supplies.
Prevent FTC Enforcement Actions
Is your company a victim of hackers, or are your customers a victim of your company’s negligence?
That’s the question the Federal Trade Commission may be asking after your company experiences a cybersecurity incident like a data breach or ransomware attack, and that’s why your company needs to proactively protect itself and its customers from hackers and be prepared to respond quickly to any cybersecurity incidents.
Federal Laws Related to Cybersecurity
Any type of business should be prepared for supply chain attacks, data breaches, and ransomware attacks, but some types of businesses are subject to additional types of data security and privacy regulations.
For example:
- The healthcare industry is subject to HIPAA’s privacy and data security rules to protect PHI (protected health information),
- The financial industry is subject to the GLBA’s (the Gramm-Leach-Bliley Act) privacy and data security rules to protect PII (personal identifying information),
- The software and technology industries are subject to various consumer rights data security and privacy laws, and
- The tax industry is subject to the Internal Revenue Service’s data privacy and security guidance including Section 7216, and tax preparers are considered financial in nature and therefore also subject to the GLBA.
Cybersecurity Policies, Supply Chain Contracts, and Incident Response
A comprehensive plan to protect your business against ransomware attacks, data breaches, and other cybersecurity incidents including supply chain attacks may include consultation with your business’s attorneys who can:
- Review your policies and procedures related to security and privacy,
- Advise your company on compliance with industry-specific laws and regulations,
- Review or negotiate your vendor contracts to ensure compliance with your cybersecurity policies, and
- Help your company to quickly respond to cybersecurity incidents, notify the appropriate agencies, and work to avoid FTC enforcement actions.
Please feel free to contact one of our Murray Lobb attorneys to obtain our legal advice regarding industry-specific cybersecurity laws and regulations, vendor contracts, and cybersecurity incident response. We also remain available to help you with all your general business, corporate, and estate planning needs.