CXO CASE INSIGHT STUDY
H
How common are supply chain cyberattacks?
They are fast becoming the norm, with supply chain providers facing threats daily. Threat actors are looking to get the most‘ bang for their buck’, creating the most disruption with the least resource. So why would they target just one business, when they can target a third-party services provider to bring down not just its operations, but also all of its customers?
And think how many third-party providers the average organisation now has. Recent supply chain attacks have made it painfully clear just how much cyber-risk now lives outside the perimeter of organisations’ cybersecurity defences. Each connection to a thirdparty provider creates a new entry point for a potential attack. Today, vendor and supply chain risk is a far cry from the paperwork exercise it used to be. Now, it’ s a core operational risk.
How do supply chain cyberattacks affect businesses and operations?
Organisations often underestimate just how much of their operations rely on the services provided by third parties, and the effects can be devastating with decreased or even halted production. Beyond the obvious material impacts, there’ s also the unavoidable damage to customer trust. Whether it’ s a consumer brand or a business-to-business brand, becoming the victim of a cyberattack, no matter the circumstances, can be a reputation killer as customers begin to question the safety and security of their data.
This leads to another considerable impact – regulatory fines. For businesses across Europe, GDPR is a major consideration. Even for non-European Union countries, many have implemented GDPR under their own legislation. In the event of a supply chain cyberattack that compromises customer data, they can face fines of up to € 20 million or 4 % of annual global turnover( whichever is higher) if under the EU version for example.
How can businesses build resilience against these types of attacks?
By prioritising both agility and reactivity. With supply chain security, you need to consider the risk associated with not just your suppliers, but your suppliers’ suppliers and so on. There are so many moving parts that it’ s realistically impossible to be 100 % preventative. You need to take an approach where you identify the absolute most critical vendors and invest in securing them as carefully as possible, with measures such as least privilege and monitoring tools.
Then build monitoring tools with proactive approaches like threat hunting using Managed Detection and Response services for everything else. This should include a balance of automated and manual security techniques, with specialists using specialised threat intelligence feeds to inform their work.
Are organisations much more aware of third-party risks?
It’ s definitely moving in the right direction. Recent regulatory updates have also elevated the conversation around supply chain in a new way. For instance, NIS2 and DORA have required more thorough vetting of third-party providers. As disruptive as the recent swathe of big-name attacks has been, they’ ve also caught the attention of organisations looking to avoid the same fate who are now taking a hard look at their extended risk profile.
In my opinion, most organisations are still not where they need to be. The majority of‘ third-party risk’ has devolved into a questionnaire exercise. It’ s rarely a security-led evaluation – so it becomes box-checking, rather than risk management. The real mark of awareness comes when organisations stop trying to assess all of their suppliers equally and instead identify and focus on the suppliers that actually matter.
Which industries are currently most vulnerable to supply chain attacks, and why?
Every industry faces its own unique supply chain vulnerabilities, but I’ d say manufacturing is particularly susceptible to these attacks. Due to the nature of production, manufacturers can have dozens of third-party suppliers all along the production chain with deep access into mission critical systems. And, with so much production technology lagging technically, the proliferation of older tech along the chain can leave gaps open for attackers that organisations aren’ t even aware of.
In our own research report, State of Ransomware report for Manufacturing, we found a significant, self-confessed knowledge gap across manufacturers. Over 40 % of manufacturers named a‘ lack of expertise’ as a contributor to a ransomware attack, with‘ unknown security gaps’ and a‘ lack of protection’ not far behind. It’ s clear that the sheer scope of third-party suppliers is overwhelming manufacturing, leaving them vulnerable to attacks as adversaries wise up to the gaps.
What recent trends or evolutions have you seen in supply chain attack techniques?
The most notable trend is the compromise of high-privilege SaaS vendors, especially core security and IT platforms. Adversaries know where to hit to cause the most damage, and when these vendors get hit, the blast radius is immense.
There’ s also a lot more risk in open-source software supply chains than some might realise. Open-source dependencies mean that even a small third-party component can pull in hundreds of additional packages requiring blind trust in thousands of lines of code. The reality is that organisations don’ t have a full understanding of what they’ re pulling in. At best, you could be downloading outdated unmaintained code. At worst, the repository itself could have been poisoned by attackers, meaning that you’ re essentially opening the door for adversaries.
And perhaps not a trend, but a warning to not underestimate the effort that threat actors are willing to put into these attacks. In our Pacific Rim defensive and counter-offensive operation, we battled a sustained attack that lasted over five years. Supply
chain adversaries are clearly willing to invest significant time and www. intelligentcxo. com
15