Product Update
Control over your email preferences
Amidst the recent proliferation of cyber attacks against the corporate supply chains of organisations, this article sets out to explain why running an effective third-party risk management (TPRM) programme has become so essential. It explains what’s driving the rise in supply chain attacks, the motivation and modus operandi of the attackers, the implications for affected organisations, the shortcomings of current approaches to TPRM, and how Risk Ledger can help organisations bolster their supply chain security.
It is getting harder to defend against cyber attacks, which are continuing to grow in sophistication and frequency. The average business faces 1,248 cyberattacks each week. Despite the rising complexity of cyber attacks, there are in essence only 5 ways your company can be targeted by threat actors, namely through:
As an industry, we dedicate a lot of time, effort, and resources to mitigating the first 4 risks, but we continue to neglect suppliers. Yet, to effectively mitigate the risk of third-party breaches, requires you to also consider the networks, applications, physical premises, and people for most of your suppliers. The failure to focus more on the security of our supply chains has resulted in a situation where over the past 5 years, 89% of organisations suffered a third-party breach.
The attack surface that threat actors can exploit is continuously widening, and the major digital transformation that the global economy is undergoing is one leading cause of this, as well as of the increasing complexity of digital supply chains more generally.
As a major European Central Bank’s Banking Supervision research effort into the digital transformation of the financial services sector revealed, 90% of financial institutions are making increasing use of APIs and cloud computing as the foundation for their digital transformation strategies. 60% of banks now use AI in their services and operations, including for chatbots, credit scoring and algorithmic trading.
More generally, most departments in large enterprises use 40-60 applications to enable their teams to communicate, connect, and collaborate on a global scale. But, 97% of cloud applications are unsanctioned and therefore haven’t been subject to a security assessment. This leaves organisations exposed - over three-quarters (77%) of executives have been made aware of an organisation in their supply chain they didn’t know about, also known as shadow IT.
Digitalisation and its accompanying innovations, while essential to boost productivity and growth, also mean a continuously growing dependence on often less cyber secure third parties. But your security is only as good as your weakest link. A single breach anywhere in your supply chain can trigger a domino effect with the potential to do major harm to your business.
The dangers that third-party breaches expose organisations to are not merely financial, although the potential financial fallouts can be prohibitive as we will demonstrate shortly. The risks to organisations arising from a supply chain breach also include legal, regulatory and reputational risks, and could even have business continuity implications.
But let us first look at the possible financial implications of a third-party breach on an organisation. According to the ‘Cost of a Data Breach Report 2023’ the average cost of a data breach in 2023 was $4.45 million (a 15% increase over 3 years). This includes costs associated with ransom payments and lost revenues to business downtime, remediation, legal fees, audit fees, and more. Meanwhile, it has been estimated by Juniper Research that businesses globally are likely to incur costs of $46 billion from supply chain attacks, and the global economy nearly $81 billion in lost revenues, by 2026.
According to Harvard Business Review, following a data breach publicly traded companies suffered an average decline of 7.5% in their stock values and audit fees became 13.5% higher compared to firms without breaches. Meanwhile, 60% of affected organisations need to raise prices after a breach, reducing their competitiveness.
To provide just one prominent example of the costs associated with a supply chain incident, let us take a look at the SolarWinds attack of 2020 when threat actors, believed to be associated with Russian intelligence, managed to add a malicious software update to the SolarWinds’ Orion, a popular network management system. The attack is said to have impacted up to 18,000 clients of SolarWinds worldwide – including federal US government departments such as Homeland Security, State, Commerce and Treasury, as well as major vendors, such as Microsoft, Intel, and Cisco. According to Google, 86% of all supply chain intrusions in 2021 were still related to the SolarWinds breach.
The cumulative costs of the attack for all affected parties have been significant. Starting with SolarWinds itself, the company reportedly incurred costs of almost $40 million, partially offset by insurance receipts, in the first nine months of 2021 alone, according to SolarWinds’ own quarterly report from October 2021. The estimated costs resulting for cyber security insurers, on the other hand, are believed to be $90 million, with payouts used to finance incident response and forensic services among other expenses.
Jake Williams, a former US National Security Center’ hacker and now founder of cybersecurity firm Rendition Infosec LLC, argued that the overall cost to businesses and government agencies for investigating the breach and attempting to expel the hackers from their systems could reach $100 billion.
In addition to the direct costs associated with supply chain attacks, there is also the significant reputational and legal risk that such attacks can cause for organisations. Take the example of the recent MOVEit Transfer supply chain attack.
When Russian threat actor ClOP exploited the vulnerability in Progress Software’s data transfer software, this allowed it to exfiltrate large amounts of data managed by a company called PBI Research Services, a leading research service provider used by many financial institutions to determine whether their account holders are still alive, or to find beneficiaries. This research provider had used MOVEit Transfer to process their customer data. When notified by the research service that their data had been compromised, a range of individuals have since filed a class-action complaint against several financial institutions, in addition to the research service provider and Progress Software.
Coming back to the example of Solarwinds, already in October 2022, SolarWinds settled a class action lawsuit, and agreed to pay shareholders $26 million. But that was not the end of the story. The Securities and Exchange Commission (SEC) announced in October last year that it has brought charges against SolarWinds and its chief information security officer, Timothy G. Brown, “for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities”, demonstrating the potential legal ramifications not just for companies, but also for individual staff.
Perhaps most disconcerting of all, supply chain attacks can also have direct business continuity implications. Let’s consider the two examples of the ION Trading Technologies and MAERSK. ION Trading Technologies is a provider of digital solutions for electronic trading, pricing and order management, including facilitating the settlement of exchange-traded derivatives, to some of the world’s largest banks, hedge funds and brokerage firms. It counts more than 100 financial services companies among its clients. When ION was hit by a ransomware attack last year, this forced its systems offline, resulting in financial institutions suddenly having to manually confirm trades, causing ripple effects and reporting delays across the sector. According to an article in Reuters, this resulted in its clients having to resort to outdated analog methods such as recording trades in spreadsheets while the US Commodity Futures Trading Commission had to delay the release of weekly trading statistics due due to organisations affected by the ION outage being unable to produce daily trading reports in a timely manner.
But whereas the fallout and impact of the ION Trading Technologies attack was fairly limited, the same can not be said for the impact of the 2017 NotPetya attack affecting the global shipping giant MAERSK. The attack, conducted by a group of Russian hackers called Sandworm and principally directed against Ukraine, exploited a vulnerability in the MeDoc tax accounting software that was used by most businesses in Ukraine. The malware, however, which behaved very differently to the original Petya ransomware and was designed to destroy the systems it infected, soon spread beyond Ukraine.
The malware was so aggressive that after infecting an initial system of Maersk, it quickly spread across all Maersk locations and systems around the world, forcing the company to basically shut down all its operations. The impact of the attack almost meant the end of Maersk, which controlled 76 ports and over 800 vessels around the world at the time, and was involved in one-fifth of global trade. Only by a stroke of luck was Maersk able to completely rebuild its entire IT hardware and software infrastructure using one remaining unaffected backup.
As the cyber security postures, especially of large global corporations as well as sensitive government bodies and operators of critical national infrastructures are getting stronger and more difficult to penetrate directly, threat actors are increasingly looking to the weakest links in their targets’ security postures, often to be found in smaller and less secure third parties. This is why smaller suppliers, who often lack the internal resource and expertise, and are easier to penetrate, often become the target of such attacks, especially by state-sponsored hacking groups.
So given the verified threat of unauthorised access to files and opportunities for data exfiltration, any business files or personal data held or processed by other organisations on your behalf may be at risk.
But it is also important to appreciate the quite diverse reasons for threat actors to stage supply chain attacks. It is these motivations that this section of our article will now turn to.
First and most prominently of course, threat actors are often principally driven by financial motives. Whether cyber criminals, especially ransomware gangs, or state-sponsored threat actors, especially those affiliated with financially weaker rogue states such as North Korea and Iran, cyber attacks have become a thriving global economy in its own right. If it were measured as a country, cyber crime would be the world’s third-largest economy after the U.S. and China.
Often for the same reason, threat actors want your data. This is the principal way they can make money from a cyber attack. Attackers want your data either in order to sell them on the Dark Web or for corporate or government espionage purposes. So the motivation for data theft incidents through suppliers are either driven by financial incentives, or by the goal to obtain valuable intelligence such as proprietary data on advanced technologies and other innovation from competitors or rival states. Data from the European Union Agency for Cybersecurity (ENISA) shows the majority of supply chain attacks are designed to steal data.
Increasingly, however, many threat actors are no longer just motivated by financial gains, or even by the intent of obtaining information. Especially state-sponsored attacks, which have been increasing steadily since the outbreak of the war in Ukraine, are increasingly aimed at causing business disruption or even at destroying the systems they penetrate. This is what the previously discussed NotPetya attack, among others, demonstrated.
Less prominent, but an equally alarming occurrence are the often very real physical effects of cyber attacks against infrastructure. The Refahiye pipeline explosion in Turkey in 2008, for example, that took the entire Baku-Tbilisi-Ceyhan pipeline out of commission for 20 days is believed to have been caused by a deliberate cyber attack. While Turkey subsequently denied that a cyber attack was to blame for the explosion, in an article that appeared on Bloomberg in December 2014, the authors Jordan Robertson and Michael Riley claimed that “hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident’”.
There was also the famous Stuxnet cyber attack against the Iranian nuclear programme, which resulted in the destruction of numerous Iranian nuclear centrifuges, and which has become known as Operation Olympic Games. The attack utilised a worm, a link file and a programmable logic controller rootkit, and targeted the industrial control systems of Siemens.
Since there is the potential for an attacker to move from a breached supplier software onward into connected systems, they can also be motivated by penetrating the systems of specific organisations and bodies for a longer-term future plan. This is again particularly likely to be the case for threat actors affiliated with nation states.
In the context of the SolarWinds attack, for example, which affected up to 18,000 clients of the company, including many federal government agencies in the US, it was discovered that Russian attackers had breached and then lay dormant in government systems for weeks, if not months. They upgraded user privileges and created new ones in the systems they had breached and were able to monitor internal emails by government agencies as well as extract sensitive information from their targets. This onslaught against US Government departments reportedly affected, among others, the US Treasury and Commerce departments as well as the Department of Homeland Security and the Pentagon.
Not all of your suppliers will pose a significant risk to your business if breached. So which types of suppliers do you need to look out for in particular, and ensure that their security postures are sufficiently strong to not pose an overt risk to your organisation?
Typically among the most important suppliers to your organisation are those that you rely on for critical business functions, whether that be core business management and communications software such as provided by Microsoft or Google, data centres and cloud hosting providers such as Amazon AWS, but also Sales-enablement software, or in the case of a financial services organisation, trade settlement software or financial messaging services, among many other examples. Without these key service providers, your organisation could either no longer perform key business functions, or at least be severely affected and in need of often very tedious and inefficient workaround solutions.
Another category of suppliers that you need to be mindful of are those that your organisation transfers sensitive data to, or which handle sensitive corporate or customer data on your behalf. These could include, but are not limited to, human resources management software, payroll providers, health insurance services, and many others. Should these suppliers get breached, this could lead to a significant loss of data for your organisation and your customers.
There are also tools and software that other organisations integrate into their own software or service offerings, as is the case for example with ChatGPT and other large language models that are being integrated by thousands of software providers into their own service offerings. Software stacks usually consist of many open-source but also proprietary tools and services that are being integrated in products and services offered by other organisations.
The last group of suppliers that should be on the forefront of your mind are those that you grant system access to, or which are deeply integrated within your systems. Examples of such suppliers include for example anti-virus software, firewalls and other perimeter defence cyber security solutions, but also data analysis tools, among many others.
Before an organisation starts working with a new supplier, they’ll typically go through an onboarding process, which checks their networks, applications, physical premises, and people to verify the supplier is safe to work with.
Infosec and procurement teams are carrying the burden of managing these ‘point in time’ cyber security assessments. This inefficient, ineffective admin makes for poor-quality data that goes out of date fast. It’s a paper shield that offers little protection.
Less than a third (29%) repeat this process annually to attest that supplier is still safe to work with. A lot can happen in a year. Your business may have ‘ticked the box’ to say a supplier is safe, but that was only for a moment in time. A threat actor can use this to their advantage by finding a vulnerability, like a security patch that wasn’t applied to a supplier’s software, to gain access to your systems.
Also, organisations hardly manage to assure more than 10% of their immediate third-parties. Historically, resource constraints have justified a lack of supplier coverage. This will soon be untenable for organisations that hope to compete and stay secure.
Traditional third party risk management programmes are thus simply inadequate for our increasingly interconnected and fast-moving world.
But this is not all. There is an entire additional universe of risks beyond your third-party connections. Your suppliers have suppliers, who also have suppliers, etc. It’s a bit like LinkedIn where you have 1st, 2nd, and 3rd degree connections, which makes supply chain risk one of most challenging threats to mitigate. McKinsey agrees. It says, “Supply-base transparency is hard (or impossible) to achieve. In modern multi-tier supply chains, hundreds or thousands of suppliers may contribute to a single product.”
Data from the National Cyber Security Centre shows that only 13% of organisations review their immediate suppliers, and just 7% investigate risks beyond third-parties. At the most basic level, you need to know who sits in your supply chain, because you can’t protect yourself against what you can’t see.
It doesn’t matter if you’ve invested in a robust security system and employ the top security talent, a threat actor will use a small supplier to infiltrate your network – and that supplier may not even work directly with you. Threat actors actively seek to exploit your nth parties to gain access to your data.
Risk Ledger is the only network of interconnected organisations, working together to improve the security of the global supply chain. It provides a scalable supply chain risk management solution, which will significantly reduce the time and effort required to review suppliers as well as increase the security maturity within your supply chain.
Suppliers create a Risk Ledger profile for their organisation, covering controls from the NIST Cyber Security Framework, ISO27001, NCSC Cyber Assessment Framework and many other well-known cyber security standards. Clients view and interact with this profile to understand the security controls in place within that supplier and the contextual risk to them.
You can use Risk Ledger to review supplier’s security controls as well as discuss and request remediations. You can gain a snapshot of the overall compliance level against your policies, as well as dive deep into the documentation the supplier has provided to evidence their controls.
Our platform is security-led, enabling organisations to identify, measure and mitigate risk. As important as it is to respond to zero day threats and emerging threats internally, understanding how third parties are reacting is imperative to minimising risk.
Visibility beyond your immediate third-parties, into risks in 4th, 5th and n-th parties is also key.
Like LinkedIn for cybersecurity, we’ve created a network of suppliers so you can visualise your supply chain to the nth degree, see live assessment data, and be alerted to any changes in suppliers’ security controls.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
