Cyber vulnerabilities: is supply chain your weakest link?

The global economy is beginning its recovery from the COVID-19 pandemic, but many of the trends that were set in motion by the ‘great reset’ of 2020 will not be going away: the ‘new normal’ is here to stay. Remote working has become commonplace, many services that went online during the pandemic will remain there, and the digital transformation of companies and even entire industries will continue to accelerate.  

An unwelcome – though inevitable – consequence of these trends has been a corresponding rise in cybercrime. Some commentators have even talked about a ‘cyber pandemic’ fuelled by rises in ransomware, data breaches and cloud-based security issues as criminals take advantage of the fast-moving situation. 

According to a recent study commissioned by CyberGRX, not only is this digital transformation increasing cyber risk, but it is also increasing reliance on third parties in order to compete in the digital economy. This means relying on third-party cloud and IoT providers, plus sharing data with suppliers providing such things as point-of-sale systems, HR systems and payrolls. 

Taken together - the increased reliance on third parties, the increased sharing of data and network access, and new vulnerabilities created by remote working – has created a perfect ‘risk storm’ for opportunistic cyber criminals. 

And it means that even the most robust security programmes can be undermined by less secure third-party vendors and supply chain partners.

The recent hack at US software firm SolarWinds is an example of how damaging this risk exposure can be. One single piece of malware successfully planted inside SolarWinds's Orion network management software was able to infect as many as 18,000 organisations and government agencies. Reports suggest that about 30 per cent of the companies affected didn’t even have a direct relationship with SolarWinds – they were just connected to a company that was. 

The breach exploited a vulnerability that was leveraged to gather intelligence, mine data, and to sow animosity and resentment between organisations. The interconnectedness of the digital supply chains involved meant it became – according to Microsoft - "the largest and most sophisticated attack the world has ever seen."

"even the most robust security programmes can be undermined by less secure third-party vendors and supply chain partners"

Fred Kneip, CEO, CyberGRX

How big is the security threat from a supply chain vendor?

Our study found that more than half of all data breaches are linked to a third-party supplier further down the supply chain. 

Moreover, based on the data collected from the third parties our customers have loaded into the CyberGRX Exchange, 20 per cent of an enterprise’s third-party portfolio on average exhibits a high inherent risk profile. ‘Inherent risk’ is the risk that exists absent of any security controls – and determining it is critical to helping organisations understand where to focus their risk assessment efforts. 

Considering that the typical enterprise has an average of 5,800 third parties, that 20 per cent figure represents a huge amount of risk that requires – at a minimum – some level of due diligence. 

The first step therefore in developing an effective third-party risk management programme is to identify who the third parties are and understanding their inherent risk. Once it is understood who poses the most inherent risk, a company is able to move forward with due diligence and assessing to determine if the third-party has the proper security controls in place to mitigate that risk. 

Of course, in an ideal world, a company should understand that risk before onboarding a third-party. Better risk assessments will make it easier to write and mark up contracts with vendors and partners – and increase confidence in the supply chain.

However, the tools and processes that many organisations rely on to manage third-party cyber risk today is inefficient and error prone. The next 10 years will therefore bring about a sea change in how companies across the economy address this critical category of risk. New approaches like cyber risk exchanges and advanced analytics will allow organisations to closely monitor and manage the cyber risk of even thousands of individual providers.

And these new solutions are coming at an important time: as senior executives and boardmembers demand to be kept abreast of third-party cyber risk management efforts, the organisation’s risk posture and the impact of third-party cyber risk on strategic planning.