A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changes the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
The risks associated with a supply chain attack have never been higher, due to new types of attacks, growing public awareness of the threats, and increased oversight from regulators. Meanwhile, attackers have more resources and tools at their disposal than ever before, creating a perfect storm.
Examples and scope of supply chain attacks
There's no end to major cyber breaches that were caused by suppliers. The 2014 Target breach was caused by lax security at an HVAC vendor. This year, Equifax blamed its giant breach to a flaw in outside software it was using. It then blamed a malicious download link on its website to yet another vendor.
Then there were the Paradise Papers, over 13 million files detailing offshore tax avoidance by major corporations, politicians, and celebrities. The source? Like last year's Panama Papers, it was a law firm that was the weakest link.
These aren't isolated cases. According to a survey conducted this fall by the Ponemon Institute, 56 percent of organizations have had a breach that was caused by one of their vendors. Meanwhile, the average number of third parties with access to sensitive information at each organization has increased from 378 to 471. That number might be a little low. Only 35 percent of companies had a list of all the third parties they were sharing sensitive information with.
Only 18 percent of companies says they knew if those vendors were, in turn, sharing that information with other suppliers. That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.
The problem gets worse when you consider that the risks don't end when the supplier relationship is terminated. This fall, Domino's Australia had a security breach and says a former supplier's system had leaked customer names and email addresses. "Most contracts I review don’t include adequate details for managing the tricky process of vendor termination," says Brad Keller, senior director of third party strategy at Prevalent, Inc.
Plus, regulators are increasingly looking at third-party risks. Last year, New York State financial regulators began requiring financial firms with a presence in New York to ensure that their suppliers' cyber security protections were up to par.