Explainers & Guides
Third-Party Risk Management: 4 ways CISOs can work smarter
In 2024 cyber security budgets are expected to increase by an average of 6%, which is good news. But even with larger budgets, cyber security professionals cannot put the same emphasis on every threat out there. There are just far too many. One way to approach this dilemma and provide some focus and guidance for the year ahead is to discern some of the major trends and associated threats that are likely to have a high degree of likelihood of transpiring, and a high impact if they do. These are the threats that ought to be on the priority list of cyber security teams.
So what supply chain cyber risks should security teams be concentrating on in 2024? We predict that among the leading threats will be those associated with the rapid evolution of generative AI tools, systemically-relevant concentration risks in organisations’ extended supply chains, state-sponsored attacks, and social engineering attacks.
Since its introduction in late 2022, OpenAI’s Large Language Model (LLM), ChatGPT, swiftly became the most popular app of all time, with the highest growing user base in history. ChatGPT and other generative AI tools are already impacting nearly every industry and profession. In some cases, adoption is an informed choice to introduce LLMs into business workflows. However, often the adoption is indirect and less controlled as suppliers (especially SaaS providers) have already integrated LLMs into their systems and services at breakneck speed, imposing the change on organisations using their software.
Generative AI is a double-edged sword. On the one hand, it will help security teams by adding its advanced data analysis power to enhance threat intelligence and analysis, early detection, incident response, smart authentication, among other activities, while also reducing the resource burdens on teams. Via APIs and plugins, these tools are already being introduced into security software such as threat intelligence tools, Security Information and Event Management (SIEM), Intrusion Detection or Vulnerability Management systems. They also allow users to remain proactive in their security efforts by adding a logical layer to protect organisations’ data, for example by learning what’s ‘normal’ in their organisation-specific environments.
On the other hand, threat actors, too, are making increased use of the power of these new tools, not least for designing and refining malware that is harder to detect as well as for enhancing their phishing techniques, but more on this later. Generative AI applications also bear many security risks for organisations using them, especially to the confidentiality, integrity and availability (CIA triad) of corporate data. Like any other software, generative AI and LLMs can be compromised, for example via prompt injection attacks, data poisoning, denial of service attacks, or inference attacks. But they can also pose risks to organisations based on their proclivity for ‘hallucinations’ and generating false information.
Last but in no way least, there is a risk of employees feeding sensitive proprietary or customer data into these tools, exposing this data to potential unauthorised access. Since AI tools often resemble black boxes, users can also not be sure how the data they input into these tools is being handled. On average, enterprise employees are entering confidential business data into ChatGPT 199 times per week, thus exposing these organisations, and their customers, to both security and privacy risks.
The majority of security professionals attribute the significant overall increase in cyber attacks since 2023 not least to the emergence and widespread adoption of generative AI, with 82% worried about how generative AI “might enable additional cyberattacks”. However, despite over half (53%) of organisations acknowledging generative AI as a risk, just over a third (38%) have so far taken steps to mitigate against it. Furthermore, remote workers are leaving organisations particularly exposed to these new AI risks as they employ tools to support communication and collaboration. According to Verizon’s Data Breach Investigation Report, web apps used by remote workers were responsible for 90% of the data breaches, and with many of these tools already integrating AI capabilities into their services, this risk will only increase.
Given the novelty of the new AI tools and the lack of sufficient guardrails in place as of yet, there is a significant potential for generative AI-related cyber security disruptions in 2024. We expect 2024 to be a tumultuous year with regard to what generative AI will hold in store for us.
To mitigate against these new risks, it will be paramount for security teams to:
The second biggest threat to organisation’s supply chain cyber security are concentration risks beyond immediate suppliers and third parties, in their extended supply chains. Before we look at these more specific types of concentration risks, let us first define what types of concentration risks exist. There are essentially three main types of concentration risks in corporate supply chains that organisations potentially face.
The first is when organisations rely too heavily on one supplier for any business-critical processes or services, without any backup options in place. Should such a critical supplier be breached and go offline or cease to be able to provide its services, this could pose immediate business continuity risks to organisations solely relying on the supplier and not having a backup provider in place.
The second type of concentration is fourth-party concentration risk, when multiple suppliers of an organisation rely too heavily on the same fourth party, with which the organisation itself is not even directly connected. Should this fourth party get breached, this could affect all the above-mentioned third party suppliers at the same time, potentially resulting in all of them becoming unable to continue to provide their services to the organisation in question.
The third type of concentration risk is ‘systemic risk’, which transpires when a large number of organisations in the same industry all rely on the same critical supplier. Think, for example, of the importance of a few clearing banks and payment messaging systems for the communication and clearing of financial transactions in the financial services industry. If such a critical supplier for an entire industry gets breached, this could have major systemic implications that could even bring the whole system to its knees.
It is these fourth-party and systemic concentration risks that we believe will pose the greatest threat to organisations’ supply chains in 2024. The most likely candidates for these types of attacks are the public sector, financial services sector and critical national infrastructure. Aware of this challenge, regulators are increasingly pushing for organisations to focus more on these potential concentration risks within the context of boosting organisations’ operational resilience as well as reducing systemic risks in entire sectors.
Reducing such concentration risks, however, first requires organisations to:
A model for enabling such industry-wide collaboration to reduce concentration risk, for example, is being provided by FS-ISAC, a global cyber intelligence sharing community for the financial services industry. FS-ISAC not only offers its members actionable cyber intelligence sourced directly from its members and its own Global Intelligence Office, it also facilitates collaboration between financial services organisations in the context of emerging threats that could have systemic implications for the entire sector. This model of collaboration and burden sharing will be key to effectively reducing both 4th party and especially systemic concentration risks in organisations’ supply chains in 2024, and to harden the supply chain security of entire sectors.
Cyber attacks by threat actors linked to nation states have jumped from 20% to 40%, prompting the NCSC to issue a threat alert last year, warning against an increasing number of state-sponsored attacks targeting UK critical national infrastructure. With the digital world having become as big a battleground for state actors as the real world, especially since the beginning of the Russia-Ukraine war a new wave of hacktivism and cyber attacks by state-sponsored threat actors has been unleashed.
The biggest concern with state-sponsored attacks is their potential impact, given the resources and expertise behind them, as the example of SolarWinds attests to. When an advanced persistent threat (APT) actor injected malware into Solarwinds’ Orion IT monitoring and management software, this affected thousands of organisations, including several federal agencies in the US. More recent state-sponsored attacks perpetrated by Russian-linked hackers have included a supply chain attack against one of the British Ministry of Defence’s suppliers, which provides fences for high security sites. According to an article in The Defense Post, the hack gave the Russian hacker group LockBit access to gigabytes of data relating to high security sites in the UK. Meanwhile, in Denmark, Russia-affiliated hackers managed to breach 22 Danish power companies, apparently with the aim to gain access to Denmark’s decentralised power system according to the Centre for Strategic and International Studies.
Making the situation worse, many state-sponsored threat actors are no longer just motivated by financial gains or even by the goal to gather intelligence, but are increasingly also intent at disrupting systems and organisations, or even at destabilising entire sectors and economies. Moreover, similar to the WannaCry ransomware attack, where threat actors exploited vulnerabilities in the Windows operating system to gain access to organisation’s internal systems, state-nexus groups remain especially focused on “trojanising known software packages” to target cloud infrastructure.
The worsening global geopolitical climate suggests that 2024 will see an increase of such advanced cyber warfare from all sides. Events such as the upcoming 2024 US presidential election will further increase the likelihood of sophisticated attacks by state-sponsored threat actors to either disrupt elections, sway voter opinion through the propagation of misinformation, or indeed in an attempt to alter ballout outcomes through targeting digital ballot systems.
To mitigate against the rising threat of state-sponsored attacks, organisations can’t do much more than to strengthen their overall cyber security posture and those of their critical suppliers. Other than that, governments and their national security agencies must place a premium on:
People generally remain one of the weakest links in organisations’ security posture, as they are prone to normal human behaviours and errors. Regardless of how good the policies and how secure the systems of organisations are, individuals will remain the principal target of threat actors in 2024.
On average, organisations are targeted by 700+ social engineering attacks annually, and phishing remains the most popular attack vector. Other common threat vectors, according to ENISA, include “spear-phishing, whaling, smishing, vishing, watering hole attack, baiting, pretexting, quid pro quo, honeytraps and scareware.”
As social engineering attacks have significantly increased in sophistication, employees more and more struggle to detect a phishing email, text message, or LinkedIn message, to name just a few, and will accidentally click on a malicious link or download a compromised attachment. The most popular type of phishing attack is spoofing, where a threat actor impersonates a trusted brand, client, partner or even colleagues. Generative AI will make spoofing even harder to detect by allowing threat actors to create communications that are much more personalised, and by taking advantage of deep fakes, both in audio and visual form.
To take just one example, threat actors are now able to simply identify an existing online video or audio file of a company’s CEO, utilise generative AI applications to create an audio message cloning the voice of the CEO, and then use this to launch a social engineering attack against unexpecting company employees.
With the rapid increase of remote working since the COVID-19 pandemic, the risk of social engineering attacks against organisations has further increased. With employees asked to work from home wherever possible during the pandemic, cyber attacks notably increased by 300%.
To mitigate against the constant risk of phishing attacks and other forms of social engineering, the most effective practical steps cyber security teams can pursue include:
Organisations’ supply chains remain the perhaps weakest link in any security posture and third party (and fourth party) risk among the most challenging to mitigate. All of the above trends and associated threats will affect the corporate supply chains of organisations.
To achieve meaningful supply chain security, however, organisations need to start approaching risk management differently. Traditional third party risk management, with its focus on assuring individual suppliers no longer suffices to protect organisations from supply chain attacks, especially if they originate further down an organisation’s extended supply chain ecosystem. If you want to beat the bad guy, you're going to need a whole community of good guys on your side. In other words - when it comes to cyber security - collaboration is key. So why do we expect single organisations to have the capacity and expertise for fending off cyber criminals alone? Why, when an organisation comes under attack, are we so quick to blame them for having ineffective security controls instead of looking at the bigger picture?
Organisations are linked, whether they like it or not, and the responsibility for preventing cyber crime is inescapably shared by the entire ecosystem. Blaming a single organisation for falling victim to a breach only perpetuates an every-man- for-himself mindset which does nothing to stop further attacks. To put it simply, an organisation's defences are only as strong as those of the other organisations in the ecosystem, so sharing resources and data is in everyone's best interests.
Connected organisations have a natural incentive to make sure there isn't a breach within their ecosystem. When everyone is connected, an attack on one organisation is tantamount to an attack on every organisation, which means that looking out for each other can only be beneficial. And conversely, failing to collaborate can only be detrimental for everyone involved. Organisations with large security operations centres and strong expertise in hunting, detecting and responding to attacks must rally around their smaller partners and suppliers in order to protect the whole system. When it comes to cyber security, organisations can only win when they play as a team.
This is why Risk Ledger espouses the concept of ‘Defend-as-One’, because if we all take a much more collaborative approach to supply chain risk management, we become a powerful army, rather than a lone ranger in the fight against cyber crime.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
