Supply Chain Cyber Risk Management — Why Current Practices are Doomed

Supply chain security risks can pose threats in different ways, with some scenarios more dangerous than the others. For larger companies, protecting the data of their customers is the foremost priority because they are very well aware of the threat to their services emanating from these cybersecurity risks.

The access point for this cyber-attack that took place in 2013 was the unfortunate HVAC contractor. Using network credentials stolen from Fazio, attackers hacked the data of more than 70 million customers. This data was containing the important information of the customers ranging from phone numbers to payment card information.

The matter is more sensitive for the larger companies and organisations that include thousands of vendors in their network. Recent research points out that on average a larger organisation consists of over 4700 vendors. Suppliers connect to their customers through systems and data via electronic means. This connection is full of undesired consequences. In the year 2018 alone, 59% of Companies experienced a supplier-caused or related data breach. These stats are quite alarming as only 16% of these companies say they have worked successfully towards reducing these supplier cyber risks.

Problems and Risks to Digital Supply Chain Security

There are 3 main types of cyber threats that can impact supply chain security. Supply chain attack is the topmost threat to supply chain security. A list of these risks are as follows:

  • Network hardware provided to the company with a malware installed on it already. This type of supplier cyber risk is the most common threat in the supply chain. One such example is Superfish malware installed on Lenovo notebooks.
  • Malware that is inserted into software or hardware supplied to a company. This type of threat was used by the Dragonfly cyber group.
  • Weakness and vulnerabilities in software applications and networks within the supply chain. Hackers can easily spot these weaknesses to exploit and launch cyber-attacks.

Supply Chain Attacks

First, you need to understand what a supply chain is. A supply chain is a complex network of interdependent players that work solely on supply and demand rule. A supply chain starts from raw materials, supplier, and ends at consumers as illustrated in the below-given figure.

A supply chain attack is also known as the third party attack, is aimed at damaging the function of an organisation by attacking the less secure links in the supply chain. In most cases, suppliers are used as a weak link to inflict the damage to the targeted organisation, mostly by hackers. According to Carbon Black’s 2019 Threat Report, around 50% of supply chain attacks leverage “island hopping.” This is a clear indication that not only one network, but also a series of networks connected via supply chain is under the radar of attackers.

The situation has deteriorated further in the recent past as more suppliers and service providers touching sensitive data more than ever before. As a result, in the year 2018 alone the number of supply chain attacks increased by 78% over the previous year.

Past Examples: The recent history is replete with the supply chain’s attacks where suppliers and other third parties were directly involved in a data breach. In the year 2014, the Target breach was happened because of lax security at an HVAC vendor. Similarly, Equifax blamed a vendor for a massive data breach this year, happened due to faulty download link on its website.

These examples are just the tip of the iceberg, as in the year 2018 alone, 56% of the companies put blame on one of their vendors for data breaches. Only 36% of the companies were aware of all the third parties to with they were sharing sensitive information of the customers. Alarmingly, only 18% of the companies were aware of the vendors that are responsible for sharing the sensitive data with the third party that caused these massive supply chain attacks.

Consequences For The Business And Organisations

Data breaches caused by suppliers or any other third party pose a serious threat to a particular organisation. Customers don’t care if the organisation itself or a third party was responsible for their sensitive data breach and avoid purchasing anything from that particular organisation.

As a result, these organisations suffer not only reputation and financial problems. but also regulatory consequences. Following regulations and organisations hold businesses accountable for these data breaches.

  • California Transparency in Supply Chains Act.
  • GDPR

Why The Current Practices Are Bound To Fail

In the past few years, the magnitude of supplier cyber risks has increased manifold. In the last 2 years alone, the cases of supply chain attacks doubled in numbers. In contrast, the overall maturity of supplier cyber risk management programs remains virtually unchanged if not deteriorated further. The current practices are not only outdated but ineffective in most cases. Few loopholes of current practices are as follows:

  • Lack of awareness of real-time cyber supplier threats and risk visibility.
  • No progress towards instituting governance and technology to wrap their arms around supplier cyber risks. It also includes a software supply chain, access governance, or data handling.
  • Lack of knowledge related to threat actors present in the supply chain.
  • The current practices are not only manual but non-integrated.
  • No clear procedure for vendor’s assessment because of the higher number of vendors and lack of capacity to do it.
  • Overall complex supplier ecosystem.

The complexity of current supplier ecosystem is one of the reasons behind supplier cyber risks. Making it simple can play an important role in improving business performance. Interaction of suppliers with vendors is the ultimate cause of these cyber threats. To minimise supplier cyber threats, it is important to adopt new techniques along with better awareness of the threat.

About Cyble:

Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain cyber threats and risks. Their SaaS-based solution powered by machine learning and human analysis provides organizations’ insights to cyber threats introduced by suppliers and enables them to respond to them faster and more efficiently.

Cyble strives to be a reliable partner/facilitator to its clients allowing them with unprecedented security scoring of suppliers through cyber intelligence sourced from open and closed channels such as OSINT, the dark web and deep web monitoring and passive scanning of internet presence. Furthermore, the intelligence clubbed with machine learning capabilities fused with human analysis also allows clients to gain real-time cyber threat intel and help build better and stronger resilience to cyber breaches and hacks. Due to the nature of the collected data, the company also offer threat intelligence capabilities out-of-box to their subscribers.


Scroll to Top