READ TIME: 4 MIN
Cyber Risk & Your Supply Chain: Managing the Growing Threat
You’ve likely heard that employees are the top source of cyber risk for businesses. But when you imagine “employee error” resulting in a data breach at your company, does it occur to you that this might be one of your suppliers’ employees?
It could be. In fact, there is now a 70% chance that a cyberattack on one company was caused in some way by one of their suppliers1. Capitalizing on human error and a host of other vulnerabilities, threat actors increasingly exploit weak links in supply chains to gain access to bigger targets up the chain.
Understanding Supply Chain Cyber Risk
The increasingly digital nature of supply chain relationships has caused the associated cyber risks to skyrocket. Gartner predicts that by 2025, 45% of businesses will have experienced a cyberattack on their supply chain2. What this means is that your company’s own internal security practices are now only partial protection; a comprehensive security program must now include cyber risk management strategies that cover your supply chain.
But how to accomplish this? The National Institute of Standards and Technology (NIST) suggests that supply chain risk management involves “identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats”3. To create effective mitigation strategies, therefore, it is helpful to understand common attack vectors for supply chain attacks:
Credentials Theft: By using social engineering attacks (e.g., phishing, vishing), threat actors can trick employees into sharing their login credentials. Once a threat actor gains access to a supplier’s network using stolen credentials, they can leverage that access to infiltrate the target business’ network, circumventing its security defenses.
Software Infection: Threat actors may also use infected software to execute attacks—either by compromising the software development or the software distribution process—and inserting malicious code or backdoors into the software. This allows them to gain access to systems or networks of the software users, and steal data, disrupt operations, or cause damage.
Watering Hole Attack: A watering hole attack targets groups of organizations in a supply chain by injecting malicious code into websites that they commonly visit. The malicious code redirects users to a compromised website that hosts the threat actor’s malware. A watering hole attack is different from social engineering attacks, which trick users into clicking on malicious links or attachments. Instead, a watering hole attack takes advantage of users’ trust in the legitimate websites they usually visit.
Malware: Often introduced through attack vectors like those discussed above, malware may be used to further supply chain attacks. Threat actors may infect the devices or systems of one party in a supply chain, using malware to steal data or spy on activities that they use to infiltrate their end target in the supply chain. Supply chain attacks may also include denial of service attacks that knock a business offline or ransomware attacks that hold the victim’s data hostage until a ransom is paid.
How to Manage Supply Chain Security Risks
Clearly, the complexity of supply chains coupled with the complexity of today’s cyber threats make supply chain security risk management no easy feat. But with careful attention to component risk factors, a thorough and effective supply chain security risk management strategy is doable. Here are some essential pieces:
Policies: In the same ways that you establish and implement best practices and standards for cybersecurity for your own business (e.g., security awareness training, encryption, authentication, monitoring, backup, patching), your policies should also make explicit your security requirements for suppliers.
Risk Assessment: Conducting risk assessments will be instrumental in identifying potential vulnerabilities within your supply chain. Assessments allow you to determine which suppliers meet your security criteria and which need to improve their practices to remain a supplier.
Appropriate Access: Many supply chain attacks succeed because suppliers have been granted an unnecessary level of access to a partner’s network. Make sure each user only has the level of access necessary to fulfill their obligations as a supplier.
Training: Regular security awareness training for your own employees is definitely a must, but you may also consider offering suppliers training on your cybersecurity policies, procedures, and best practices.
Incident Response Planning: Your security program should be built around the assumption that a breach will occur, making incident response planning and testing a non-negotiable element of any supply chain security risk management strategy.
NexusTek helps businesses develop supply chain cyber risk management strategies through Virtual CIO (vCIO) consultation and to construct strong cyber defenses that protect others in their supply chain.
Would you like to speak to a cybersecurity expert about managing supply chain cyber risk?
- Robinson, P. (2023, August 2023). Why are supply chain attacks increasing? Cybersecurity Magazine. https://cybersecurity-magazine.com/
- Moore, S. (2022, April 13). 7 top trends in cybersecurity for 2022. Gartner. https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022
- (n.d.). Supply chain risk management. https://csrc.nist.gov/glossary/term/supply_chain_risk_management