What Are the Top Supply Chain Cybersecurity Risks?

Supply chain professionals must continually deal with a wide range of challenges spanning from shortages to slowdowns. However, they also must focus on supply chain cybersecurity. Attackers increasingly want to target supply chains because they know doing so could have devastating effects that ripple across the organization and negatively affect the customer experience. Let’s go into greater detail about some of the most prominent threats to today’s supply chain cybersecurity. 

Low Confidence in Cybersecurity Readiness

When the security professionals in an organization know its weaknesses and have the resources to reduce those vulnerabilities, cyberattacks are often less likely to happen. However, the results of a 2022 survey from IT governance organization ISACA found that many IT professionals do not feel their workplaces are well-prepared for supply chain cyberattacks. 

Less than half of respondents (44%) expressed a high level of confidence in supply chain cybersecurity at their companies. Moreover, 53% said they didn’t expect security-related supply chain issues to improve over the next six months. 

When respondents explained some of the problems at their companies, the feedback covered many areas for improvement. For example, 84% of those polled said their supply chains needed better governance. 

Then, 60% said they had not coordinated and practiced cybersecurity incident response plans with suppliers. Almost 1 in 5 of the survey participants said they hadn’t created such plans at all.

Additionally, 49% said their organizations do not do penetration testing or vulnerability scanning on the supply chain. A lack of awareness makes it difficult or impossible to adequately protect the supply chain. It can also increase the time required to confirm and stop attacks in progress. 

Insufficient Third-Party Auditing

The supply chain’s nature requires companies to work with external providers to meet needs. However, the primary associated risk is that a cyberattack affecting a vendor could easily spread to their clients’ customers. Third-party attacks damage organizations and happen more frequently than many people realize. 

However, another risk to supply chain cybersecurity is that company representatives may not audit their external partners enough. Research from cybersecurity defense company BlueVoyant found that 98% of respondents experienced negative effects from a cyber incident in their supply chains. 

Then, 67% said they audited supply chain partners more than twice a year. That’s an improvement over the previous year’s study, where only 53% responded that way. However, the percentage is still not as high as it should be. If a vendor’s customers don’t know how seriously that company takes cybersecurity, they could feel especially taken aback and off-guard if things go wrong.

The great thing about an audit is that it lets clients and vendors become more proactive by identifying problem areas before those weak points cause problems. Moreover, an audit helps clients confirm that vendors did address issues found in other audits. If they didn’t, or are otherwise slow to act, that could be reason enough to put them on probation. 

However, two of the top pain points mentioned in the BlueVoyant study were ensuring people at the client company understand how suppliers are part of the overall security posture and working with suppliers to make security improvements. It certainly takes time and effort to overcome those challenges. However, doing so can pay off by making supply chain cyberattacks less likely to happen due to vendor shortcomings. 

The Rising Threat of Ransomware

Any thorough discussion of supply chain cybersecurity must include ransomware. Attacks happen with increasing frequency, and they’re often incredibly disruptive. Consider the example of a ransomware attack on Kojima Industries, a supplier of plastic parts and electronic components for Toyota. The incident caused Toyota to halt 28 production lines across 14  Japanese plants for at least a day. 

That decision affected a third of Toyota’s global output, representing 5%, or 13,000 units. However, people associated with the brand opted to cease production to prevent further supply chain damage. This is an excellent example of how supply chain cybersecurity problems can spill over to affect companies other than those cyberattackers directly target. 

A 2022 global study of IT decision-makers by Trend Micro revealed that 79% of respondents believed their customers and partners made their organizations more attractive ransomware targets. Another finding was that 52% of those polled had experienced ransomware hitting their partner organizations. 

However, a lack of information about attack types and methods could hurt everyone in the supply chain. The survey showed that less than half of companies (47%) provided information about ransomware attacks to their suppliers. Then, a quarter said they don’t give details of any threats to their supply chain partners. 

When Black Hat USA surveyed cybersecurity professionals for a survey published in August 2022, most had a bleak outlook about ransomware. More specifically, 59% said the ransomware risk to their organizations had increased over the past two years. On a more positive note, 96% said they were able to stop ransomware attacks or mitigate their effects. That shows how having a strategy and the right tools can pay off. 

The Trend of Hackers Impersonating Vendors 

Business email compromise (BEC) attacks have been around for a number of years, but they’ve historically entailed impersonating people with the targeted company. For example, a personal assistant might get an email from someone identifying them as the CEO, and the recipient’s boss. The email might instruct that the assistant accelerate a large money transfer or something else that results in the loss of funds. 

Such attempts still happen. However, research from email cybersecurity company Abnormal showed that BEC attacks where cybercriminals impersonated external parties surpassed internal impersonations for the first time in January 2022. That pattern has continued. By May 2022, such BEC incidents comprised 52% of the total. 

How Do Hackers Act Like Vendors?

Abnormal’s analysis revealed the four types of BEC attacks where the perpetrators impersonate vendors: 

• Vendor Email Compromise: This type of attack typically has the biggest impact because it involves an unauthorized party taking over the vendor’s actual inbox, usually by credential stuffing. In this case, cybercriminals can engage in long-term surveillance, carefully studying things like word usage and tone to make their crafted messages maximally authentic.
• Aging Report Theft: This kind of attack concerns someone impersonating an executive-level individual from a vendor. They then use information from outstanding invoices to engage with a supplier’s customers and ask that they pay what they owe to a new account. 
• Third-Party Reconnaissance Attacks: Here, cyberattackers use open-source intelligence to learn more about the relationships between vendors and their customers. They then utilize that information to try and redirect payments, although they don’t have any direct knowledge of the specific transactions. 
• Blind Third-Party Impersonation Attacks: In these instances, cybercriminals have no direct insights into vendor-customer relationships or financial transactions. However, they solely rely on social engineering to get the information they need from those who have it. 

Improving email security isn’t easy. But, one of the most straightforward things to do is ask people to use a non-email method to verify a message’s validity. For example, someone could pick up the phone to talk to the CEO verbally before going ahead with a significant money transfer. 

Supply Chain Cybersecurity Deserves Ongoing Attention 

These are only some of the many risks facing modern supply chains. There’s no easy or guaranteed way to safeguard supply chains against attacks. However, increasing awareness of the current weak points is an excellent starting point for supply chain cybersecurity.