Cybersecurity is now firmly on the radar for most businesses, at least when it comes to their own systems and processes. But such efforts do not necessarily extend to the wider supply chain, where suppliers – often smaller businesses – could prove an easy target for criminals.

BlueVoyant’s State of Supply Chain Defence Annual Global Insights Report, released in November 2024, finds 95 per cent of UK organisations have experienced cybersecurity incidents in their supply chain, and 34 per cent say they have no way of knowing when such an incident occurs.

Using smaller organisations to access larger ones

For organisations, there are essentially two main risks stemming from a cyberattack on a supplier. The first is the potential for this to lead to an attack or data breach affecting their own business. “The risks range from ransomware and extortion, through data exfiltration and compromise of networks to sensitive data leaks and denial of service – meaning business disruption, reputational damage and regulatory fines are all potential outcomes,” says Glen Williams, CEO of Cyberfort.

Smaller suppliers in particular are being targeted as a means to access larger businesses, says John Higginson, director at Unit 42, the threat intelligence and research arm of Palo Alto Networks. “Cybercriminals can easily leverage weak points as an easy way into larger organisations, particularly if there are trust relationships between networks,” he says. “A recent high-profile example was last year’s Santander third-party database hack. However, even if this is not the case, they can be used as an entry point to gain access to the larger business, exploiting the trust by sending malicious emails from trusted accounts.”

Software systems are particularly vulnerable, says John Lynch, director of Kiteworks. He cites the MOVEit supply chain attack of 2023, which affected over 2,500 organisations and compromised data of more than 66 million individuals, as an example of how a single vulnerability in a widely used software tool can have far-reaching consequences.

“The primary risk for organisations stems from their reliance on third-party vendors and software, which can become entry points for cybercriminals,” he says. “Many organisations were impacted not because they directly used the compromised software, but because their data was handled by third-party vendors that did.”

Reduced capabilities

The second danger relates to the wider issue of turmoil resulting from a supplier’s ability to function and deliver products and services being compromised. “Any significant disruption in that chain will impact the end-customer,” says Emile Naus, partner at the consultancy BearingPoint. “A cyberattack on a supplier, even if it supplies a relatively small component in the product, could stop production and result in the customer not receiving their product. The financial impact on cashflow could potentially collapse the supply chain altogether.”

What organisations need to do

Organisations need to ensure they take steps to prevent the risk of key suppliers falling victim to cyberattacks. A good starting point is to work out just where they are most exposed, says Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant. “Understand your external attack surface and third-party integrations to ensure there are no vulnerabilities,” she urges. “Consider segmentation of critical systems and minimise the blast radius of a breach. Identify the critical vendors or suppliers and ensure those important digital relationships have stricter security practices in place.”

Bob McCarter, CTO at NAVEX, believes there needs to be a stronger emphasis on cybersecurity when selecting and reviewing suppliers. “Suppliers need to have essential security controls including multi-factor authentication, phishing education and training, and a Zero Trust framework,” he says. “To avoid long-term financial loss, they must also adhere to relevant cybersecurity regulations and industry standards.”

But it’s also important to regularly perform risk assessments, even once the relationship is established, says Janssen-Anessi. “The supply chain ecosystem is not static,” she warns. “Networks and systems are constantly changing to ensure usability. To stay ahead of vulnerabilities or risks that may pop up, it is important to continuously monitor these suppliers.”

Higginson suggests assessments be carried out on an annual basis or after any significant changes to a supplier relationship. “This could be penetration tests or red team testing, reviews of response plans, and cyber tabletop exercises,” he says. “One can also look at implementing a Zero Trust strategy, which includes measures like providing secure enterprise browsers to remote employees or contractors, mandating multi-factor authentication and setting up proper network policies to only allow access to trusted users and trusted content.”

Ongoing monitoring of third parties is also essential, to help identify changes that could impact their ability to meet an organisation’s risk and performance expectations, suggests Katherine Kearns, head of proactive cyber services at S-RM. “Changes in ownership, new sub-contractors or the adoption of new technology can quickly alter a supplier’s risk profile,” she says.

This means continuous third-party risk monitoring is required, and increasingly this makes use of artificial intelligence (AI) to help with the analysis of risk data. “AI has made this process faster and cheaper,” says Kearns. “In the right hands, this data can provide powerful insight into the security risks that your critical suppliers are exposed to, sometimes even without direct engagement.”

As well as regular scrutiny, though, it’s important that organisations work with suppliers to help them improve their defences, says Ed Williams, vice president of consulting and professional services, EMEA, at Trustwave. “Employee education plays a critical role, as many cyberattacks, especially phishing and social engineering scams, are aimed at exploiting human error rather than technical vulnerabilities,” he says. “Training staff to recognise these threats and respond appropriately can be a company’s first line of defence.” Organisations can also help suppliers produce basic incident response plans, he adds, which detail how to contain and recover from a breach.

With the cyber-threat growing all the time and criminals increasingly seeing suppliers as a possible route to target larger organisations, it’s likely that this is an area that will garner far greater attention over the coming years than it has up to now.

“Growing connections among companies will increase the attack surface for cybercriminals,” predicts McCarter. “As companies become increasingly interconnected, it will become even more complicated to monitor and manage the extended supply chain. In the next few years, we could expect stricter regulations to enforce supply chain cybersecurity, greater emphasis on Zero Trust security frameworks and pricier cyber insurance premiums.”

Read more

Industry-first software supply chain security framework launched – Security leaders have launched the Open Software Supply Chain Attack Reference (OSC&R), to help organisations gain better understanding of evolving supply chain threats and how to mitigate them

Can NIS2 and DORA improve firms’ cybersecurity? – Daniel Lattimer, Area VP at Semperis, explores NIS2 and DORA to see how they compare to more prescriptive compliance models

3 cybersecurity compliance challenges and how to address them – Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy