Cybersecurity: Your supply chain is now your weakest link

"Criminals don't just give up, they look for easier ways in," ex-GCHQ boss Robert Hannigan tells ZDNet - and that easy way in is via your third-party suppliers.
Written by Danny Palmer, Senior Writer

More than 80% of organisations have experienced a data breach as a result of security vulnerabilities in their supply chains, as cyber criminals take advantage of the poor security of smaller vendors as a means of gaining access to the networks of large organisations.

Research by cybersecurity company BlueVoyant found that organisations have an average of 1,013 vendors in their supplier ecosystem – and that 82% of organisations have suffered a data breach in the past 12 months due to cybersecurity weakness in the supply chain.

But, despite the risk posed by security vulnerabilities in the supply chain, a third of organisations have little to no indication if hackers had got into their supply chain, meaning that they may not find out that they've been the victim of an incident until it's too late.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Large companies are likely to be better protected than smaller companies, which means hackers are increasingly turning towards their suppliers as a means of infiltrating the network in a way that will often go unnoticed.

"Very often people think, well, what are our most critical suppliers and inevitably they end up with their top ten being some of the world's biggest names, like cloud providers. But that's not where the threat comes from," said Robert Hannigan, chairman of BlueVoyant International, told ZDNet.

"It's much more likely that the real threat is going to come from a much smaller company you've never heard of but which is connected to your network," said Hannigan, who was previously director of GCHQ. 

An example of this was seen in 2017 when the NotPetya attack infected organisations around the world, which was apparently first spread using the hijacked software-update mechanism of an accounting software company. The attack quickly spread out of control and took down networks of organisations across Europe and beyond.

"Who would have thought with NotPetya that some accountancy software being updated would lead to massive disruption across Europe. It wasn't a top supplier for any of the companies that were hit, but it lead to huge damage and interruption," said Hannigan.

Other attacks against the supply chain are much more subtle, with cyber criminals infiltrating the vendor with malware or phishing emails and taking over accounts – which they then use as as a gateway to breaching the larger organisation, especially if there's already a trusted relationship between them.

This was the case when a utilities company suffered a data breached when cyber criminals targeted it via its law firm, compromising the account of someone at the firm and using that to compromise the utility company.

"What the attacker has done is compromise the inbox of someone in this particular firm and because the attacker was using the identity of a real person and their real inbox, the normal protection against phishing emails didn't work because it's just an email from a regular trusted person – but unfortunately it wasn't the regular person, it was an attacker," Hannigan explained.

One of the key reasons that supply-chain vulnerabilities can go unnoticed is because it often isn't clear who is in charge of managing risk when it comes to relationships with third-party vendors – so even if it's known that a supplier might have vulnerabilities, fixing the problem might never happen as there's no fixed person or team with the responsibility for this vendor.

"I haven't met a CISO who's not aware that there's a huge ecosystem to make sense of, but finding a way to do it is a challenge. Even the biggest organisations have a limited team for dealing with cyber risk and there's a limit to what they can get to. You can't expect a small team to manage risks of 10,000 vendors," said Hannigan.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

In order to better manage the risk posed by supply-chain vulnerabilities, the report recommends that organisations must decide who owns third-party cyber risk in order to adopt an effective strategy to manage it, as well as improving visibility of the whole supply chain.

The report also recommended that organisations who think there are risks in their supply chain should alert and aid third parties with potential vulnerabilities – because that's who cyber criminals will target in an attempt to breach your network.

"Criminals don't just give up, they look for easier ways in. It's inevitable that when companies' perimeters got better defended, criminals would start to look at the soft ways to get in – and the supply chain is the obvious way to do that," said Hannigan.


Editorial standards