Download this article in PDF format.
As cyberattacks become more common and highly publicized—and as the “bad actors” behind these crimes get more sophisticated—companies are paying closer attention to their supply chains as potential points of vulnerability. And while supply chain security isn’t necessarily a new problem, even a single breach in these critical networks could disrupt an entire organization.
“As supply chains have become more digitized and interconnected, they have also become more vulnerable to a range of cyber threats,” Samuel D. Goldstick points out in “Combatting Supply Chain Cyber Threats: Safeguarding Data and Protecting Digital Supply Chains.” “These threats not only pose risks to the direct operations of companies but also to the extensive network of suppliers, providers, vendors, and customers that constitute the supply chain ecosystem.”
The proof is in the numbers. Citing industry data, Goldstick says the number of organizations impacted by supply chain attacks has surged by more than 2,600% since 2018, with victims increasing 15% (to more than 54 million) in 2023 alone. And, supply chain-related disruptions that occurred in 2023 led to an average $82 million in annual losses per organization in key industries, including financial services, aerospace, defense, healthcare and energy.
“This trend is unlikely to slow down any time soon, as attackers are continuing to refine their techniques and exploit weaknesses in the interconnected ecosystem of third-party vendors and software,” Goldstick writes. “Thus, more than ever before, it is crucial to recognize that supply chain vulnerabilities are now intricately woven into the fabric of cyber threats, marking a significant shift in how organizations across all industries alike approach the security of the interconnected networks.”
New Attacks Emerging Every Month
Earlier this month Home Depot became the latest high-profile organization to fall victim to a cyberattack. According to techradar, a small subset of the company’s employee data was leaked by a third party.
“Apparently, this was a supply chain attack,” techradar reports, “with Home Depot stating that, [a] third-party Software-as-a-Service (SaaS) vendor inadvertently made public a small sample of Home Depot associates' names, work email addresses and User IDs during testing of their systems."
Also in April, business analytics software company Sisense suffered a compromise that prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert to Sisense’s customers.
“Although the details of the attack are not yet clear,” Cyberscoop reports, “the breach may have exposed hundreds of Sisense’s customers to a supply chain attack and provided the attacker with a door into the company’s customer networks.”
Issued on April 11, the CISA alert urged Sisense customers to reset credentials and secrets potentially exposed to, or used to access, Sisense services. It also advised them to investigate—and report to CISA—any suspicious activity involving credentials potentially exposed to, or used to access, Sisense services.
3 Steps to Better Supply Chain Security
To help organizations address current and emerging cyberthreats and improve their supply chain risk management, the National Institute of Standards and Technology (NIST) advises companies to follow these three principles:
- Develop your defenses based on the principle that your systems will be breached. When one starts from the premise that a breach is inevitable, it changes the decision matrix on the next steps. “The question becomes not just how to prevent a breach,” NIST points out, “but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach.”
- Don’t view cybersecurity as a “technology problem.” According to NIST, it’s actually a people, processes and knowledge problem. Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices.
- Physical security and cybersecurity go hand-in-hand. In other words, there should be no gap between physical and cybersecurity. “Sometimes the bad guys exploit lapses in physical security in order to launch a cyberattack,” NIST explains. “By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access.”