Back-door cyber threat leaving supply chains exposed

Supply chains often comprise thousands of vendors, many of which might be vulnerable to cyber attacks. Hackers often target such vendors as a means of gaining access into a larger company – the so-called backdoor attack.

Supply vendors are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the larger organisation itself.

In the event that a supplier or third party is subject to a cyberattack that means they are unable to deliver key products or services, this can become a big problem very quickly and may impact business continuity. 

Internally, the biggest cyber threats come from suppliers or other third parties who have access to an organisation's IT networks. 

Externally, the biggest threat is from third-party organisations who perform a critical business process or deliver a key product to the first party. 

Yet despite the high-tech world we live in, a deal of cybersecurity is not complicated; much of it is down to sound housekeeping and well-managed communications, both in-house and external.

James McDowell is MD of BlueVoyant UK, whose cloud-based cybersecurity platform, BlueVoyant Elements, detects and respond to cybersecurity incidents.

But the stark truth is too many businesses have a supply chain security problem. McDowell says that industry research suggests that on monitoring and mitigating cybersecurity risk in the supply chain “the needle has barely moved in the past three years”.

He says that with economic uncertainty “putting pressure on budgets and cybercriminal activity escalating” organisations “must urgently consider how they are going to address this”.

 He adds: “Companies must urgently consider how they’re going to address this issue because maintaining the status quo is simply not sufficient.

“It’s a status quo whereby 97% of companies have experienced negative consequences due to a cybersecurity breach among the external vendors and suppliers that form their supply chain.” 

More concerning still says McDowell is that BlueYovant research shows that even among organisations that take steps to mitigate third-party cybersecurity risk, more than one-third of them reassess that risk only every six months. “And just 3% of them are able to monitor risk daily or in real time,” he says.

“A lot can happen in a week to take a supplier from compliant to high-risk,” McDowell points out. “So if you multiply that by the six months or more at which organisations are typically reassessing their vendors it is clear that the level of unmanaged risk is considerable.”

BlueVoyant’s research – conducted among 300 senior UK cybersecurity professionals – also found the average organisation had suffered more than four breaches in 2022 12 months, up from just over 3.5 breaches on average in 2021.

“This points to a huge visibility problem,” says McDowell.”The majority of cyber risk in the digital supply chain is going undetected for long periods. This allows potential attackers ample time to infiltrate systems, island hop from one to another and launch destructive attack campaigns with little risk of being discovered.”

He adds: “This means that most businesses are easy targets for attacks, and are exposed to the threat of operational disruption, financial losses and reputational damage during a time when economic uncertainties severely impact the chances of recovery.”

McDowell says that, when it comes to supply chain cybersecurity many organisations “are understandably stumped by the scale of the issue”. 

He adds that today’s vendor ecosystems are massive and complex, sometimes comprising thousands of suppliers with varying levels of access to a business’s systems and infrastructure. 

“Monitoring all these using conventional methods, such as surveys, generates a huge administrative burden and only provides limited assurance of a supplier’s cyber security posture at a single point in time,” he says

McDowell says that although this “ticks a compliance box it doesn’t offer a picture of evolving risk that helps the business adapt strategically to the threat environment”.  

Typically, he says, businesses look more closely at top-tier suppliers, “which are mainly those with whom it has strategic relationships”. 

“But they have less bandwidth to monitor the long tail of other suppliers,” he adds. “Nevertheless, it only takes one of these lower-profile partners to become victim to an attack to set off a domino effect of network compromises.

Resolving this, he says, requires “a step change”, in how organisations gain visibility over third parties and that “deploying automation is the logical step to take”. 

McDowell reveals that BlueVoyant’s research found that UK companies are less likely than those in other countries to use a vendor risk-management programme, with just 36% saying they have one in place, compared with 41% of respondents from elsewhere.

He says this pattern might be linked to budgets.

“UK organisations are less likely than those in other regions to be getting cybersecurity budget increases”. 

But he warns that the “intensive threat landscape” should be enough to prompt businesses to reconsider budgets.

“They need to consider whether the price is worth paying, to avoid the currently almost certain risk of suffering a breach via the supply chain.”

McDonnell says when it comes to managing alerts arising from vendor monitoring, companies “should look towards advanced AI-powered options” because “these can lift the burden of analysis and prioritisation”.

He adds that “it’s important there is the facility for human review of key decisions and processes”.

“The investment needed to establish effective third-party cyber risk management is not as high as you might think,” he says, adding that “implementing a robust solution delivers a host of strategic data that can be incorporated into corporate risk management and decision-making processes”.

He continues: “Businesses should look for solutions capable of scaling, to cover all suppliers. They should also aim for continuous monitoring so that attackers’ window of opportunity is limited as far as possible, and risk is reduced accordingly.”

This, he says, allows businesses to proactively manage their supply chains and to deliver greater resilience at a time when it is badly needed. “And of course, compared to the cost of a breach, the investment is a price well worth paying,” he stresses.