How to reduce the risk of supply chain attacks

The announcement of a hack on IT monitoring company SolarWinds in December 2020 brought supply chain cybersecurity threats to the forefront, although they are not a new phenomenon.

In fact, according to Sophos’ 2020 poll of 5,000 IT managers from 26 countries1, nearly one-tenth of ransomware victims (9%) said the assault came from a trusted third-party supplier.

But what precisely is a supply chain attack, and how does it work? More importantly, what can you do to defend your business from the consequences of a supply chain attack?

This paper answers these and other questions.

What is a supply chain attack?

Organizations are often reliant on some form of a third-party supplier to manage all or part of a particular business function, such as your IT infrastructure. While enabling third-party suppliers to connect to your network does have business benefits (freeing up in-house resources, for example), it inherently introduces security risk – namely vulnerability to supply chain attacks.

In a supply chain attack, rather than infiltrating you directly, attackers instead exploit the access that trusted third-party suppliers already have to your systems to gain a foothold in your environment. Once they’re in, they can conduct all sorts of malicious activity.

Having just a single supplier connected to your network introduces the risk of a supply chain attack.

On average, however, small and mid-sized organizations report having at least three suppliers who can connect to their systems2. Securing these connected suppliers creates substantial challenges and an increased workload for IT teams. To compound the challenge, supply chain attacks are notoriously difficult to detect, let alone defend against, as they can come from any part of your supply chain.

Types of third-party suppliers

Professional services and IT service providers are two of the most common third-party suppliers that can connect to an organization’s network.

Professional services

Professional services are often employed by organizations to independently manage business functions (or parts of them) when they don’t have the specialized skills and knowledge required internally. Take for example an accountancy firm that needs to have access to sensitive financial data (through software) to provide the client with the analysis and insights they have been employed to deliver. As you can imagine, a successful cyberattack on such an organization could be devastating for its portfolio of clients.

IT service providers

IT service providers are external organizations entrusted with the running of a company’s IT infrastructure and/or IT security. Often known as managed service providers (MSPs) or managed security service providers (MSSPs), they are frequently targeted in supply chain attacks.

They’re particularly attractive targets for attacks because they hold the keys to many different customer organizations. With the number of organizations outsourcing their IT security set to rise to 72% by 20223, the security posture of these third parties is of paramount importance to your own.