Supply Chain Risk is Changing. What Does It Mean For You?

Supply chain issues were on everyone's mind when the pandemic started. We knew the pandemic would slow things down: borders were closed, people weren't working, and freight wasn't moving. What organizations did not anticipate, however, was that the supply disruption would be even greater than we expected. Thanks to the length of the pandemic, new lockdowns, and the war in Ukraine, supply lines were shut down for much longer than anyone anticipated.

Many of those attacks were digital, which was also unanticipated. According to Argon Security data, software supply chain attacks increased by 300% between 2021 and 2022. Bad actors targeted vulnerabilities in third party software to breach their clients: large companies. The SolarWinds attack is a perfect example of this. When SolarWinds, a vendor, was breached in 2020, more than than 40 of its clients were affected in the breach, including government agencies and major corporations. The full extent of that attack is still unknown, but data including government information, the emails of U.S. officials, court documents, and sealed documents were stolen in the breach.

For this reason companies need to be aware of third party cyber risk.

What is third party risk?

Third party risk is any risk to your organization brought about by a third party: vendors, partners, contractors, suppliers, and any other organization or individual with access to your data, systems, or networks.

Although third party risk applies to any third party, it’s most often mentioned in relation to cyber risk. Because so many organizations rely on digital suppliers to do business, digital vendors often have access to sensitive information. Criminals know that, and often target suppliers like cloud providers and other vendors.

This comes with a cost. According to IBM and the Ponemon Institute, about one fifth of the data breaches that happened in the last year were the result of supply chain attacks. Those breaches were both 2.5% more expensive and took 26 days longer to detect than other data breaches. Supply side data breaches also compromise an organization’s reputation, cause compliance issues, and are followed by legal action.

To learn how best to protect against supply chain attacks, talk to us now about assessing your security.

How can you protect against third party breaches?

Supply side hacks are difficult to prevent; you can control your own cybersecurity posture, but when it comes to doing business with vendors, you often have to trust that they are secure and compliant. While many organizations rely on security questionnaires to ensure compliance, your organization is taking the vendor’s word that they are secure. There are, however, steps you can take to protect your networks and data against a third party data breach.

1. Know your third parties. It can be difficult to know who your vendors are, especially in large organizations, where some departments may work with their own contractors. It’s important to audit your third parties regularly. The first step in knowing your risk is knowing who you’re working with.

2. Patch regularly. Software providers regularly release security patches to correct vulnerabilities in their software. Criminals know when these are released, and they’re counting on you not to install the patches in a timely fashion. Install every patch as quickly as possible to minimize your risk.

3. Use good password hygiene. Weak passwords are often the first step toward a breach. Enforce your password policies, make sure no one is able to use a weak password, and consider using multi-factor authentication.

4. Enforce Zero Trust. The concept of Zero Trust eliminates implicit trust in devices and users. Under Zero Trust, you must verify every device and user that connects to your systems, even if they’ve connected to your network before.

5. Understand malicious apps. While most of your workers (hopefully) know better than to plug an unknown USB device into their computers, they may not think twice about plugging their phone into their computer to charge it. If they’ve downloaded malicious apps without knowing this, that's a risk.

How can you learn more about security for small companies?

Startups are often more at risk when it comes to hacks and breaches than larger companies. They don’t always have the money to invest in high-end tools and security, and they often use open-source code and tools when developing their products. This can put them and their clients at risk.

There are, however, ways to secure small companies against attacks and data breaches. There are grants and government programs to help startups become more secure, although it can be difficult to find those resources.

To learn what funding is available to harden vendors or your own organization against cyber threats, contact us.

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.