Supply chain attacks: how secure are your third party suppliers?

A recent report from NCC Group reveals that supply chain cyber attacks have increased by over 50% since 2021. According to a McKinsey survey of supply chain executives, 93% believe they are taking the necessary steps to make their supply chains more resilient. However, a comparable Gartner report states that only 21% of supply chain executives believe their networks are resilient.

53% of organisations have experienced a data breach caused by a third party

What good is a strong, tried and tested cyber security culture in your organisation if the third party vendors and suppliers you are working with are not up to par? In fact, if they are not in line with your organisation’s security maturity, they will be introducing weaknesses and security gaps into your infrastructure that can be exploited by threat actors.

To maintain high levels of cyber security and awareness, organisations need to start treating third party suppliers as an extension of their business. This means that when a CISO/DPO is planning their cyber security programme and training, time must be allocated to assess the security environments of third party suppliers – with contingencies in place to educate these colleagues equally.

However, data published by the DCMS (Digital, Culture, Media, and Sport), in their Cyber Security Breaches Survey 2022, reveals that only 13% of UK businesses review risks coming from immediate suppliers and an even smaller 7% address the risks coming from the wider supply chain. Cyber criminals are aware that organisations do not take supply chain security seriously and are targeting them as a result.

Only 7% of UK businesses address the cyber risks coming from the supply chain

What is a supply chain cyber attack?

A supply chain attack, sometimes referred to as a value-chain attack or third party attack, occurs when a threat actor accesses your system via an outside partner or vendor with access to your data and system. These attacks are usually conducted with the intention to ransom for money or disrupt the services of the targeted organisation for political, reputational, or financial damage.

Saepio data reveals that 53% of organisations have experienced a data breach caused by a third party. And PWC’s 2022 Global Digital Trust Survey states that only 31% of companies surveyed understand the risks that come from third party networking.

As more organisations expand their supply chain, especially globally, the size and nature of the attack surface of a typical enterprise has dramatically changed. Supply chain cyber attacks can occur at any point in the supply chain with many hackers targeting logistics providers, manufacturers and even air conditioning providers for any way into the network of the targeted company.

These types of attacks can be extremely hard to detect as the target company does not necessarily have a direct link to the third party vendor on their supply chain. This is why it is essential to take a proactive approach with supply chain security.

Only 31% of companies understand the cyber risks that come from third party networking

Examples of third party cyber attacks

At TSC we have been made aware how important of an issue third party cyber attacks are by our clients and how it is a growing concern in 2023. This is an attack avenue that can affect organisations of all sizes and industry with attackers using a secondary company or organisation to gain access to their ultimate target.

Many organisations are not looking out or aware of these attacks and can therefore lead to massive consequences as the attack goes unnoticed for a prolonged period.

Here are some examples of third party cyber attacks:

• Target, 2013: Hackers accessed Target’s systems by breaching the security of one of the retailer’s HVAC (Heating, Ventilation and Air Conditioning) vendors. Here, a hacker targeted Fazio Mechanical, a Pennsylvania HVAC company, with phishing emails. Eventually, a Fazio employee opened a fraudulent email with malicious attachments on a system connected to Target’s network. As a result, hackers were able to steal tens of millions of customer data, such as credit card numbers and personal information.
• Yahoo, 2016: Here, a hacker called ‘Peace’ targeted a third party vendor that was providing ancillary services to Yahoo’s online services using a phishing scheme. As a result, ‘Peace’ gained access to the personal information of more than 1 billion users through just one compromised employee and one malicious link. In the end, the Yahoo hack of 2016 was the biggest public breach of personal data worldwide since MySpace was hacked for 360 million user details.
• Democratic National Committee (DNC), 2016: The DNC were targeted by Russian hackers in the lead up to national elections of significant importance. These hackers, once again, targeted a third-party vendor working with the DNC and were able to steal emails, official documents, and personal information. These hackers leaked data to the public and caused significant political and reputational damage to not only the DNC but also the USA itself.
• Equifax, 2017: Here hackers breached the security of Apache Struts, a third party online service used by many organisations including Equifax. Apache Struts had issued a patch to plug vulnerabilities, but hackers targeted organisations that had yet to run the patch. In the end, they walked away with the personal information of more than 145 million US customers and 15 million British customers. In February 2020, the US government credited the attack to Chinese hackers, though the Chinese Communist Party denies this assertion.
• Capital One, 2019: Paige Thompson, a former Amazon engineer, managed to gain access to Capital One’s systems via Capital One’s use of AWS (Amazon Web Services). Hackers walked away with the personal information of more than 100 million customers who held credit cards or who had applied for credit card products. In June 2022, Thompson was found guilty for the attack.
• Marriott International, 2018: In a devastating attack that left more than 500 million users’ data compromised, hackers accessed the Marriott International’s network through security gaps in a third party vendor’s room reservation framework. This attack highlights how third party attacks can go under the radar and undetected for years as this attack actually happened in 2014 but was not detected until 2018!
• Twitter, 2020: Before Elon Musk’s takeover of the troubled social media giant, Twitter was devastated by a third party cyber attack in 2019. Hackers breached the security of a third party vendor that had access to Twitter’s network through social engineering attacks. Instead of just stealing data, which they did, hackers also gained control over high-profile Twitter accounts (such as Elon Musk and Bill Gates) and began promoting a bitcoin scam.
• SolarWinds, 2020: In another politically motivated attack, Russian hackers targeted SolarWinds, a company that provided many different third party services to multiple US government agencies and some private companies to boot. SolarWinds provides SaaS solutions for IT, supply management, network administration and more. As a result, SolarWinds has access to customer data, logs, and workflow tasks for many organisations. By breaching SolarWinds, these hackers hained access to sensitive government data and significantly disrupted governmental operations.
• Colonial Pipeline, 2021: The Colonial Pipeline supplies oil and gas through a complex pipeline network to the South-Eastern region of America. In 2021, hackers breached the security of the third party vendor that handled machinery used all through the pipeline system. They planted ransomware and managed to be successful in receiving a hefty ransom before normal services were resumed. This attack occurred because of one single compromised password!
• JBS, 2021: JBS, a Brazil-based meat processing company, produces one-fifth of the world’s meat, making it the world’s largest producer of beef, chicken, and pork. A cyber attack led to many of JBS’s slaughterhouses coming to a halt in Brazil, USA and even Australia. REvil, a Russian hacker group, was credited with the attack by many news outlets but they have not taken credit for it.

As you can see from the case studies above, every organisation needs to be aware of the potential risks associated with third party cyber attacks and take precautions against them. So, how can you fortify your third party security levels and awareness?

How to improve third party security and awareness?

There are many steps you can take to improve your third party supplier security. This includes anything from thorough background checks of all your vendors and suppliers to implementing an employee monitoring system to more engaging cyber awareness training for third party employees. It is also important to have an incident response plan in place and to test the plan regularly so that you are never caught unaware by third party attacks. It is also important to have a backup plan for your data and cyber insurance to cover the cost of recovery from a cyber attack.

Let’s explore how we can improve third party security and awareness in a little more detail:

• Background checks: Every organisation should review the past security incidents of any third party vendors they are working with, their security protocols and their official regulation compliance levels. This is a must do for any organisation as you must be sure that their security levels match your organisation’s security levels. In November 2021, the UK government announced that they will only work with third party suppliers that could prove they had “good cyber security”, following a period of increased attacks on government authorities. They also introduced the ‘Cyber Essentials’ scheme: a set of basic technical controls to help organisations protect themselves against common online security threats. Organisations can gain two Cyber Essentials badges after completing a scheme to certify their security maturity. Cyber Essentials is backed by the Information Assurance for Small and Medium Enterprises (IASME) and the Information Security Forum (ISF).
• Strict protocols and monitoring: Remember the pillars of security with strong firewalls, detection systems and response protocols. You must accept that even if you have the best security in the world, it takes one momentary lapse to be breached. Prepare for the worst and the ramifications will pale in comparison to what may have been. Kenco data reveals that 90% of supply chain professionals say monitoring technology is a high priority as companies need to monitor what is happening across the supply chain at all times.
• Third party specific protocols and guidelines: It may also be worth your time to prepare third party specific protocols, especially if you are entrusting them with handling sensitive data. Third party vendors may also not be aware of official regulations and your guidelines for security incidents, so an onboarding process is recommended. DCMS data reveals that 69% of CEOs and directors of Britain’s top companies say that their organisation actively manages supply chain cyber risks, but a third of them are not actively working to improve supply chain cyber security.
• Update and patch: It is extremely important that your third party suppliers are regularly prompted to update and patch any software and hardware they use whilst on your network. As you can see from the many examples above, hackers are always on the search for third party vendors that have not patched vulnerabilities to gain access to their intended target.
• Training and awareness programmes for all: No matter how complex and strong your security network is, it is only as strong as the employees using it. You must train employees and third party suppliers on best practices for identifying and responding to common cyber threats as well as regular updates on emerging cyber threats.
• Regularly test detection and response plan: Because hackers target third party vendors for vulnerabilities, it can take an exceedingly long time before the intended target realises that they have been breached. This is why it is vital that organisations regularly test their detection protocols and response plans. This will also ensure that all employees are vigilant and aware of what to do if/when a breach occurs.
• Network segmentation: One way to place a stop gap in your security network is to segment it. This means placing a security feature between your main master network and any third party supplier access. You can use multi-factor authentication and encryption to protect access to sensitive date. The UK’s National Cyber Security Centre recommends that every organisation follows the zero trust approach with verification needed from every user before access is granted. This added layer of security does no harm to workflow but does a world of good in adding obstacles for cyber criminals.

If your organisation can implement these measures then you have a significant chance of reducing the risk of third party vendor attacks and the ramifications of an attack, should one still occur.

However, one must also remember that cyber security awareness is an ongoing and growing process. Not one of the points made above is a one-and-done solution and must be constantly built upon. Cyber security awareness and training is the best way to keep employees and your organisation up to date with the ever-evolving cyber threat landscape.

Supply chain security is also your security!

The state of third party supplier cyber security and awareness is a critical issue for organisations in all industries. Third party vendors have access to sensitive data and important systems making them prime targets for cyber attacks. You must treat them as an extension of your own team as threat actors are doing just that!

In their 2022 Data Breach Investigation Report, Verizon concluded that supply chain attacks will “increase dramatically” over the coming year with focus on “critical infrastructure attacks” and “financially motivated … nation-state attacks”.

The threat landscape is changing and becoming even more sophisticated. As a result, organisations need to take a proactive approach to third party vendor cyber security and awareness.

With the right steps taken, every organisation can reduce the risk of a third party supply chain attack and protect their data and network from cyber attacks.

If you would like more information about how The Security Company can  help your organisation and supply chain vendors stay safe and deliver security awareness training and development for you in 2023 or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.