We don’t have to look far to recognize the impact of supply chain risk on our world today. In an age of specialization, rapid digitalization, global outsourcing, lengthening software supply chains, and anonymous OS code repositories available to almost anyone, there are a plethora of vectors that can be used to launch a supply-side attack.
The recent example affecting auto dealers across North America demonstrates how one breached supplier can mean millions of dollars lost in operational costs for the sector. Dealerships across the U.S. have seen operations hindered for weeks, with losses reaching $1 billion according to various news media sources.
The answer is to understand supply chain threats better, as the average business keeps at least 11 third parties on hand, and 98% of all organizations do business with a third party that has previously suffered a breach, according to research by the Cyentia Institute.
To that end, here is a crash course on the primary types of supply chain threats facing organizations today, what they stand to lose, and what can be done to avoid risks brought in by other companies.
The 3 Main Types of Supply Chain Attacks Today
The most common types of supply chain attacks cover three areas: software, connected devices, and people.
Software
The more software flows through today’s supply chains, attackers are increasingly looking to breach code repositories by inserting malicious code or exploiting vulnerabilities and misconfigured services. Once inside the network, attackers move laterally and carry out their nefarious action against the software provider. Compromising the services and operations of the software provider not only affects the provider but also every organization the provider reaches since the provider would be unable to deliver their service to the business partners who depend on them.
Connected Devices
Attackers take advantage of connected devices to plant malware or other malicious code on as many devices as they can access. These devices can include servers, desktops, HVAC systems, power, security, network-connected CCTV systems, and more. These endpoints serve as gateways for threat actors who use them to then pivot to other, more sensitive internal resources. Common tactics for entry include malicious links used in phishing emails, physical intrusion via hardware devices on the endpoint itself or using USB thumb drives to connect to a device.
People
Social engineering attacks are extremely common methods that cybercriminals use to infiltrate the supply chain. Especially on trusted business platforms, it can be easy to not second-guess a message from someone you “know” and click a link, fill out a form, or download a file. The problem comes when those accounts have been compromised by attackers, and the information delivered via their simple request leads to a third-party breach.
The Consequences of Supply Chain Attacks
Many industries have regulatory requirements that demand mitigation strategies for supply chain security, and for good reason. A breach in the supply chain can be as costly to an organization as a cyberattack on their own systems, and potentially more. There is an inherent risk in working with third parties as there is no guarantee that they will maintain the same security standards or practices as the host organization, which can often be larger and more influential.
That is why threat actors often target smaller supply chain vendors with lightweight security measures in order to infiltrate larger companies with enterprise-grade security tools. The trusted access that third parties have with these organizations can also help attackers circumvent traditional defenses, making their ploys even more subtle and much like an insider attack.
The results of a supply chain attack can include:
Operational disruptions that bring production lines to a standstill
Financial losses from halted operations, lost sales, and ransom payments
Legal costs incurred from lawsuits and regulatory fines due to the loss of sensitive data
Corporate espionage as the result of stolen proprietary information and intellectual property
Compliance penalties when the attack reveals security controls not compliant with standards such as GDPR, HIPAA, CCPA, PCI DSS, and more
In addition, the cost of mitigating the attack – including incident response, recovery from backups, and restoration of operations – can be significant enough that it gets passed down to the customer. This causes the victim company to be at high risk of losing customer trust and business.
Defending Against Supply Chain Attacks
Several best practices go into mitigating supply chain attacks. Here are two of the most vital.
Take responsibility for supplier security management. It is up to the organization to ensure the level of risk being taken by the third party is acceptable. If it is not, the organization can refuse the partnership or request that the third party increase their security posture in order to be brought on as a business partner. This will also require the partner to demonstrate their increased security hygiene.
Prevention is not enough – have an incident response plan. Despite the most comprehensive preparation, the odds still favor attackers in an arena as big as the global supply chain (software and physical). That is why every organization must have updated and tested plans in place for incident response, disaster recovery, and business continuity in the event of a crisis. While there may not be much you can do to reverse the attack, well-prepared entities can limit its spread and avoid many of its consequences that come with it; saving costs, reputation, and possibly data in the process.
Supply chain attacks are a threat that must be dealt with by nearly every digitized organization today, and to make matters worse, they’re increasing. Knowing that nine in ten businesses work with a supplier that has once been breached, security measures such as continuous third-party security monitoring and well-honed disaster recovery plans are essential.
It is more likely that an organization will be the victim of a supply chain attack than not, and this ratio will likely continue until businesses treat third-party risk with the seriousness it deserves. And in today’s world, taking this threat seriously often means shouldering the burden of supply chain security yourself. Although it requires significant investment, it beats the alternative.
Cybersecurity for Your Industry
Your industry is unique. Your cybersecurity stack should be, too. Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
Ready to get started?
Learn how Fortra can help you do more to defend against threats in your supply chain.
