Supply chain security risks can pose threats in different ways, with some scenarios more dangerous than others. For larger companies, protecting the data of their customers is the foremost priority because they are very well aware of the threat to their services emanating from these cybersecurity risks related to supply chain risk management (SCRM).
The access point for this cyber-attack that took place in 2013 was the unfortunate HVAC contractor. Using network credentials stolen from Fazio, attackers hacked the data of more than 70 million customers. This data contained important information of the customers ranging from phone numbers to payment card information, highlighting the need for robust supply chain risk management.
The matter is more sensitive for the larger companies and organisations that include thousands of vendors in their network. Recent research points out that on average a larger organisation consists of over 4700 vendors. Suppliers connect to their customers through systems and data via electronic means. This connection is full of undesired consequences. In the year 2018 alone, 59% of Companies experienced a supplier-caused or related data breach. These stats are quite alarming as only 16% of these companies say they have worked successfully towards reducing these supplier cyber risks.
Problems and Risks to Digital Supply Chain Security
There are 3 main types of cyber threats that can impact supply chain security. Supply chain attack is the topmost threat to supply chain security. A list of these risks are as follows:
- Network hardware provided to the company with a malware installed on it already is a prime example of why SCRM is critical. This type of supplier cyber risk is the most common threat in the supply chain. One such example is Superfish malware installed on Lenovo notebooks.
- Malware that is inserted into software or hardware supplied to a company underlines the importance of supply chain risk management. This type of threat was used by the Dragonfly cyber group.
- Weaknesses and vulnerabilities in software applications and networks within the supply chain emphasize the need for robust SCRM strategies. Hackers can easily spot these weaknesses to exploit and launch cyber-attacks.
Supply Chain Attacks
First, you need to understand what a supply chain is. A supply chain is a complex network of interdependent players that work solely on the supply and demand rule. A supply chain starts from raw materials, suppliers, and ends at consumers. To mitigate risks, companies must implement supply chain risk management measures.
A supply chain attack, also known as a third-party attack, is aimed at damaging the function of an organization by attacking the less secure links in the supply chain. In most cases, suppliers are used as a weak link to inflict the damage to the targeted organization, making supply chain risk management a critical part of cybersecurity. According to Carbon Black’s 2019 Threat Report, around 50% of supply chain attacks leverage “island hopping,” indicating how important SCRM has become.
The situation has deteriorated further as more suppliers and service providers are handling sensitive data. As a result, the number of supply chain attacks has increased, which necessitates strong supply chain risk management (SCRM) protocols. In 2018 alone, the number of such attacks increased by 78% over the previous year.
Past Examples
The recent history is replete with the supply chain’s attacks where suppliers and other third parties were directly involved in a data breach. In the year 2014, the Target breach happened because of lax security at an HVAC vendor. Similarly, Equifax blamed a vendor for a massive data breach this year, which happened due to a faulty download link on its website.
These examples are just the tip of the iceberg. In 2018 alone, 56% of companies blamed a vendor for data breaches, illustrating the urgent need for effective supply chain risk management practices. Only 36% of companies were aware of all third parties they were sharing sensitive information with, showing gaps in SCRM procedures. Alarmingly, only 18% of companies were aware of the vendors that are responsible for sharing the sensitive data with the third party that caused these massive supply chain attacks.
Consequences For The Business And Organisations
Data breaches caused by suppliers or any other third party pose a serious threat to an organization. This makes supply chain risk management crucial for protecting both the business and its customers. Customers don’t care if the organization itself or a third party was responsible for their sensitive data breach and avoid purchasing anything from that particular organization.
As a result, these organizations suffer not only reputation and financial problems but also regulatory consequences. Following regulations like the California Transparency in Supply Chains Act and GDPR highlights the need for companies to prioritize supply chain risk management.
Why The Current Practices Are Bound To Fail
In the past few years, the magnitude of supplier cyber risks has increased manifold. In the last two years alone, the cases of supply chain attacks doubled in numbers. In contrast, the overall maturity of supplier cyber risk management programs remains virtually unchanged, if not deteriorated further. The current practices are not only outdated but ineffective in most cases. Few loopholes of current practices are as follows:
- Lack of awareness of real-time cyber supplier threats and risk visibility.
- No progress towards instituting governance and technology to wrap their arms around supplier cyber risks. This also includes the software supply chain, access governance, or data handling.
- Lack of knowledge related to threat actors present in the supply chain.
- The current practices are not only manual but non-integrated.
- No clear procedure for vendor’s assessment because of the higher number of vendors and lack of capacity to do it.
- Overall complex supplier ecosystem.
The complexity of the current supplier ecosystem is one of the reasons behind supplier cyber risks. Making it simple can play an important role in improving business performance. Interaction of suppliers with vendors is the ultimate cause of these cyber threats. To minimize supplier cyber threats, it is important to adopt new techniques along with better awareness of the threat and stronger SCRM policies.
About Cyble
Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain risk management challenges and cyber threats. Their SaaS-based solution, powered by machine learning and human analysis, helps clients mitigate risks by enhancing their SCRM capabilities. Cyble strives to be a reliable partner/facilitator to its clients, allowing them unprecedented security scoring of suppliers through cyber intelligence sourced from open and closed channels such as OSINT, dark web and deep web monitoring, and passive scanning of internet presence.
Furthermore, the intelligence clubbed with machine learning capabilities, fused with human analysis, also allows clients to gain real-time cyber threat intel and help build better and stronger resilience to cyber breaches and hacks. Due to the nature of the collected data, the company also offers threat intelligence solutions out-of-the-box to their subscribers, empowering them with comprehensive supply chain risk management solutions.
