Understanding & Preventing Cybersecurity Risk in Your Supply Chain


Share this post


Cyber risks are the top concern for companies globally in 2022, according to the Allianz Risk Barometer. In addition to heightened attacks as a result of increased remote work, companies and organizations are learning that their risk extends beyond their own network borders and across their vendor chain. In order to establish a strong security posture, companies must take a proactive and comprehensive approach to supply chain cybersecurity.  

So what exactly is supply chain security risk—and how can you protect yourself? 

In this article, we’ll take a deep dive into supply chain cybersecurity including how to measure cybersecurity risk and what steps to take to limit your exposure.

What is Supply Chain Security Risk 

Supply chain cybersecurity refers to the effort to strengthen security not just within your own organization, but with your suppliers and their n-tier suppliers as well. 

Companies rely on third-party suppliers and vendors to deliver the goods and services they need to support business. Whether that’s working with an accountant to balance the books, using software to collaborate across teams, or operating a full manufacturing and distribution supply chain, third-party suppliers interact with and impact a business on some level—making them a risk vector. 

Companies have long worked to reduce the risk associated with third parties by limiting their digital access and applying best practice security measures, such as zero-trust architectures that require user and device authentication. While this helps expand security beyond network perimeters, these efforts often only target the direct suppliers a company works with—making cybersecurity further down the supply chain a major challenge and a key vulnerability for businesses across industries.

Cybercriminals target organizations’ weakest links

Today, cyberattacks are increasingly advanced and insidious—often starting at the weakest point of a target’s supply chain, rather than making a direct attack on the target company. 

“Basically, high-end terrorists are looking at supply chain and supplier relationships to get into their targets,” says Matt Keyes, cybersecurity expert and Commercial Director EMEA at Craft.co. 

We’ve seen this in recent years with high-profile cyber attacks against companies like Target and SolarWinds. 

In late 2013, cyber attackers breached Target’s gateway server using credentials they had stolen from a third-party HVAC vendor. The HVAC company had access to Target’s systems allowing them to monitor and maintain store temperatures. Using a spear-phishing campaign, hackers stole the supplier’s credentials, using them to gain access to Target’s network. From there they installed malware on POS devices across the entire store network—compromising the data of up to 40 million credit and debit cards of shoppers, and costing Target $18.5 million in settlement claims. 

More recently, in 2020 SolarWinds, a major U.S. technology firm, was the target of a cyberattack that expanded to their large customer network—leaving thousands of organizations, including the U.S. government, at risk. 

This massive breach began when hackers initially broke into SolarWind’s network and added malware to their software system “Orion.” Orion is a common software for managing IT resources and SolarWinds had 33,000 customers that use it. When SolarWinds pushed a standard software update to its customers in March 2020, the update included the compromised code. This created a backdoor for the hackers to access SolarWinds’ customer’s IT systems and install malware that allowed them to access, monitor, and control company systems for months undetected. 

The impact was staggering. Up to 18,000 customers installed updates that left them vulnerable to the hackers. Victims included major U.S. companies and organizations such as Microsoft, Cisco, and Intel as well as government agencies like the State Department, Department of Homeland Security, and parts of the Pentagon.    

In order to mitigate risk, organizations need to ensure all their suppliers (and their supplier’s suppliers) have taken measures to secure their data and ensure uninterrupted service.

The Global Supply Chain Faces Heightened Risk in 2022 

The COVID-19 pandemic accelerated digital transformation and remote work—ushering in a wave of increased cyberattacks and a focus on supply chain targets specifically. 

This was evident across multiple industries including software, manufacturing, government, and retail. In fact, software supply chain attacks grew by more than 300% in 2021 compared to 2020. And a staggering 92% of U.S. organizations have experienced a breach that originated with a vendor.  

As organizations plan for the future, they must adapt their supply chain security strategies to meet this new risk landscape in 2022. 

The rising challenge of Ransomware attacks

There are a variety of types of cyber attacks that target supply chains, but ransomware has become an increasingly common weapon of choice. Global ransomware damage costs are predicted to reach $20 billion by 2021 – 57 times more than in 2015—making ransomware the fastest growing type of cybercrime. 

This has led to the rise of an entire black market industry called ransomware-as-a-service

Ransomware attacks typically use malware to take control of a system and lock companies out until they pay the ransom. Ransomware as a Service (RaaS) is a subscription-based business model (much like Software as a Service) that offers pay-for-use ransomware. 

In other words, ransomware operators sell ransomware to buyers (typically hackers) to use for cyberattacks. This allows buyers who don’t have the time or skill to develop ransomware on their own to get an operation up and running relatively quickly.

How it works:

  • Operators recruit buyers (also called affiliates) through marketing and forums. 
  • Affiliates pay for the ransomware and agree on a service fee for the collected ransom.
  • The operator then provides a dashboard for affiliates to set up their own ransomware package, track the package, and accept payment from the victim.
  • The affiliate then targets their victims, sets demands, compromises the victim’s assets, and executes the ransomware. 

Recently, a ransomware cyberattack shut down Colonial Pipeline, the largest oil pipeline in the U.S. Hackers were able to gain entry through a leaked password to an old account, giving them access to the virtual private network (VPN) used to access the company servers. 

The result: $4.4 million in ransom paid to DarkSide, a criminal hacker group responsible for the attack, plus price increases and gas shortages across the eastern United States. 

DarkSide claimed it was shutting down after the attack, stating it never meant to cause havoc and their “goal is to make money and not create problems for society.” However, the cybersecurity company CheckPoint noted that DarkSide still supplies its ransomware to its partners. 

Due to the high-profile nature of ransomware attacks like the Colonial Pipeline breach, and wanting to avoid additional attention from government agencies, many hackers have shifted to targeting private sector companies that have hundreds to thousands of suppliers.

In fact, 69% of all malware attacks targeting organizations involved ransomware distributors, a 30% jump over the same quarter in 2020, according to a report by security specialist Positive Technologies. 

This illustrates one of the biggest threats of ransomware and supply chain cybersecurity attacks more generally. These larger companies like Microsoft or SolarWinds with huge supply chains and thousands or millions of customers pose a uniquely massive threat because everybody uses them. 

Most Common Supply Chain Cybersecurity Risks 

With the looming threat of increased supply chain attacks, businesses of all sizes must be prepared to identify and evaluate their supply chain cybersecurity risks. This starts with understanding the types of risks to watch out for.

There are different types of cyber risk that fall under technical and non-technical categories:  

Technical Risk Categories

Network security: Protecting the networking infrastructure from unauthorized access, misuse, or theft. This includes using VPNs and encrypting data-at-rest and in transit.

Endpoint security: Securing network endpoints or end-user devices like laptops, desktops, and mobile devices. This includes installing antimalware and anti-ransomware on all devices.

DNS: Protection measures involving the DNS protocol. This includes monitoring for DDoS attacks and protecting against spoofing of email servers.

Patching Cadence: How often an organization reviews systems for updates to identify and mitigate vulnerabilities. This includes installing regular security patches for systems, networks, and software, and retiring end-of-life assets.

IP / IP Reputation: Detecting suspicious activity by identifying IP addresses that send unwanted requests. This includes monitoring emails and installing antimalware and anti-ransomware on all connected devices.

Application security: Developing and testing application security features to identify and mitigate vulnerabilities. This includes securing web applications from SQL injection and cross-site scripting attacks.

Storage: Protecting storage resources and the data stored in them. This includes limiting the collection, storage, or transmission of personally identifiable information (PII) and securing all devices that store and transmit sensitive data.  

Non-technical Risk Categories 

Processes: Ensuring there are robust written policies and processes for securing the IT environment. This includes continual monitoring, vendor risk management, incident response, regular audits, and business continuity plans.

People: Taking steps to secure user access through mitigation efforts like password policies, multi-factor authentication, and regular security training and education. 

Compliance & Certifications: Maintaining compliance through standards review, training, and certification. 

How to Conduct a Proper Supplier Cybersecurity Risk Analysis

Today, most organizations continue to rely on supplier surveys as the primary method for risk analysis. While surveys can provide important information, they have key limitations:

  • Surveys are point in time only, meaning they only provide a snapshot of a supplier’s current risk landscape, which can change quickly. This leaves survey data out-of-date and unreliable almost immediately.
  • Survey data is biased because suppliers want to portray themselves in the best light possible. This can result in exaggeration of security efforts and/or understating the actual level of risk.
  • There’s never full compliance—it’s virtually impossible to get full participation from your suppliers, leaving you with blindspots into your supplier risk landscape.

Augment your supplier survey data with a robust supplier intelligence solution that:  

  • Aggregates data from a variety of external sources. 
  • Provides digestible risk scores for the risk categories outlined earlier. 
  • Doesn’t rely on biased and incomplete supplier responses. 

As Keyes explains, it’s critical to use a supplier intelligence platform that will tell you everything that's observable outside of the firewall, such as the vendor’s policies, the last time they updated their systems, whether they are using secure IP addresses, etc. Because the maturity of the security data is inside the firewall, having an always up-to-date view of the outside is a key indicator of what might be going on inside.

Important Steps to Mitigate Supply Chain Risk

Once you understand what your supply chain cybersecurity risk is, you can take steps to mitigate that risk.

Move from a castle to a coalition approach

As risk extends beyond the traditional network perimeter to a company’s suppliers, organizations will need to take a different approach to cybersecurity. 

“Traditionally, you think of cybersecurity like a castle,” explains Keyes, “You just protect your own estate. But now it's not just about your walls—you have to think of all your partners.”

In other words, you can no longer just defend your own company. You have to make sure your network & suppliers are working together to build a cohesive security net around the interconnected supply chain.

Align efforts across your internal departments

One of the main challenges security teams face is how to get their boards and CEO to allocate budget to address the issue. After all, building a strong cybersecurity posture takes a village. And that doesn’t just include your vendors. Internally, organizations need to collaborate across teams and departments like procurement, information security, and finance to secure stakeholder buy-in for cybersecurity investment and initiatives. 

By forming an internal “coalition” built on robust supplier intelligence, it’s much easier to demonstrate the actual threats facing the organization and support your conclusions with compelling data.

Get supplier data from multiple sources  

Another key step to mitigate risk is to make sure you’re collecting and analyzing data from multiple objective sources on your suppliers. This is important not just for validating vendor-supplied information from surveys, but also for aligning data across internal teams. 

For instance, different teams will have different perspectives and even competing goals that can color their understanding of a supplier’s risk. But collecting and sharing supplier data from multiple objective sources allows you to collaborate more effectively with other internal stakeholders, such as finance and procurement to make sure you’re on the same page. 

This is especially important with suppliers who may have high risk scores but procurement, for example, is incentivized to push the contract forward because they have a limited view of the supplier’s fit. Comprehensive supplier data ensures internal alignment from a single source of truth—enabling better decision making, effective collaboration, and a stronger security posture.

Better cybersecurity rests on better supplier intelligence

“As supply chain cyber-attacks become more sophisticated and common, relying on your castle will no longer be enough,” says Keyes. “You need a coalition. And creating that coalition begins with understanding who your suppliers are, where their strengths and weaknesses lie and working together to create a stronger front line.”

Learn more about Craft's supplier intelligence platform here.