Growing Supply Chain Risk Threatens to Swamp Businesses
Supply Chain Risk Brings Unexpected Danger to Your Door
No business is an island. In the current hyperconnected, digital-first landscape, every enterprise is connected to numerous other entities. Those connections may include vendors, consultants, service providers, distributors, manufacturers, utility providers and government agencies. Every time an organization enters into a new collaboration or partnership, it will most likely have to provide its new partner with sensitive data, like financial, employee or proprietary information. And every time a company provides its new ally with sensitive business information, it opens another channel of third-party or supply chain cyber-risk.
Excerpted in part from A Comprehensive Guide to Third Part and Supply Chain Risk DOWNLOAD IT>>
Every business is facing escalating supply chain cyber-risk
Supply chain cyberattacks were the story of the year in 2023, with more than 2,600 businesses worldwide impacted by the MOVEit file transfer exploit. We asked information technology (IT) professionals about their companies’ experiences with supply chain and third-party risk for our Kaseya Security Survey Report 2023. The majority of our survey respondents (61%) said their organization has experienced a cyberattack through their supply chain or a third-party service provider.
Since it’s nearly impossible to do business without forming new relationships, supply chain risk is never going to go away. The third-party risk management market is expected to reach $9.66 billion by the year 2027. It’s in every company’s best interest to find ways to secure its data, employees and customers against the dangers presented by supply chain security risks. In this guide, we’ll show you how the cycle of supply chain risk works, the consequences a business may experience and how to mitigate this type of risk.
Have you experienced a supply chain attack through your supplier or service provider?
Response | Response |
Yes | 61% |
No | 33% |
I don’t know | 6% |
Source: Kaseya Security Survey Report 2023
Every business faces insider risk, from employee mistakes to malicious acts. Learn how to mitigate it. DOWNLOAD EBOOK>>
A new generation of supply chain risk is emerging
A company’s risk of trouble from a third-party or supply chain data breach constantly changes based on data supply and demand. Before the recent surge, the last time supply chain risks were on the front page was during the COVID-19 pandemic. By mid-2022, organizations across the world had somewhat regained control over their networks and improved the security of their digital assets in the value chain to provide a better defense against cyberattacks. Gartner projects that 45% of global organizations will experience a supply chain attack by 2025.
However, in 2023, bad actors made some big and, unfortunately, effective changes to their strategies to counter that increase in security. They became more aggressive, took advantage of the booming Cybercrime-as-a-Service economy on the dark web and started launching more carefully planned, strategic ransomware attacks. Big-ticket companies with global supply chain networks became the go-to targets. All any bad actor needed was one small slip-up in a target’s IT security. In 2023, supply chain cyber attacks in the United States impacted 2769 entities, the highest reported number since 2017.
Learn how to spot today’s most dangerous cyberattack & get defensive tips in Phishing 101 GET EBOOK>>
Supply chain risk comes from many directions
Supply chain risk isn’t just coming from one vector, nor is there just one cause for it. Bad actors have a myriad of reasons why they’re conducting cyberattacks against companies in the supply chain Many factors go into creating third party and supply chain risk for businesses including:
- Industry trends
- Political activity
- Scarcity of resources
- Desirability of information
- Zero day exploits
- The ebb and flow of the dark web
For example, one major reason why supply chain attacks grew so prolific in 2023 is the evolution in nation-state threat actor activity around the Russo-Ukrainian war. According to Google’s Threat Analysis Group (TAG), increased Russian government support led to government-backed cybercriminal gangs increasing their pace of attacks. The conflict also spurred Russia-aligned gangs specializing in ransomware attacks to target large, digital supply chains in a bid to cut Ukraine’s supply lines.
The MOVEit exploit rocked the world
The story of how one cybercriminal group capitalized on a vulnerability in a widely used brand of business software to launch a plethora of cyberattacks is a good example of how third-party and supply chain risk can quickly endanger a company. Progress Software’s popular managed file transfer (MFT) solution, MOVEit Transfer, became a gateway to trouble when Cl0p, a Russia-aligned Ransomware-as-a-Service (RaaS) gang, successfully exploited a zero-day vulnerability in the software to launch ransomware attacks.
Once they discovered the vulnerability, Cl0p cleverly targeted MOVEit Transfer to gain access to valuable data that they could sell and information that could be used to facilitate further attacks. By tapping into the business supply chain through service providers, Cl0p was able to launch a cascade of cyberattacks hitting businesses in every sector.
Although Progress quickly released a patch for the vulnerability, the damage was already done. Organizations that trusted the MFT solution to safeguard their data or relied on businesses that used MOVEit were quickly caught up in the tide of attacks. Here’s a list of some big names that were affected by the hack solely via supply chain channels:
- Deloitte
- British Airways
- Estée Lauder
- Chuck E. Cheese
- The Hallmark Group
Learn about the top cyber threats K-12 schools face and how to mitigate them. DOWNLOAD INFOGRAPHIC>>
2023 saw the first confirmed incident where one software supply chain attack enabled another
In another instance, the breach of 3CX, a VoIP solutions provider that develops its communications software using an open standards-based approach, shook the cybersecurity community in March 2023. What makes this supply chain attack particularly interesting is that this is the first confirmed incident where one software-supply-chain attack enabled another.
In this incident, a 3CX employee downloaded an application called X Trader available on Trading Technology’s website. A North Korean hacker group had previously breached Trading Technologies. The hackers had successfully injected malicious code into the app in that incident. So, when the infected app X Trader was installed on the 3CX employee’s computer, it enabled the hackers to access 3CX’s network, reach a server 3CX used for software development and corrupt a 3CX installer application.
Through this hack, North Korea-based hackers were able to send out malware to a huge number of 3CX’s 600,000 customers. The 3CX story is a wild and perfect example of how a security flaw in a fourth-party vendor application can aid bad actors in breaching the digital privacy of numerous organizations and millions of individuals.
Learn how Datto EDR satisfies cyber insurance requirements for endpoint protection & EDR. DOWNLOAD REPORT>>
Mitigating cyber risk is easy with Kaseya’s Security Suite
As we embark on a new year, these ten cybersecurity resolutions serve as a roadmap to fortify any organization’s defenses against an ever-changing threat landscape. By prioritizing security awareness training, stepping up assessments like penetration testing, adopting advanced technologies and staying vigilant, IT professionals can create a robust cybersecurity posture that safeguards their employer’s or customers’ digital assets and protects against emerging threats. Here’s to a secure and resilient 2024!
Kaseya’s Security Suite has the tools that MSPs and IT professionals need to mitigate cyber risk effectively and affordably, featuring automated and AI-driven features that make IT professionals’ lives easier.
BullPhish ID — This effective, automated security awareness training and phishing simulation solution provides critical training that improves compliance, prevents employee mistakes and reduces a company’s risk of being hit by a cyberattack.
Dark Web ID — Our award-winning dark web monitoring solution is the channel leader for a good reason: it provides the greatest amount of protection around with 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.
Graphus — Automated email security is a cutting-edge solution that puts three layers of AI-powered protection between employees and phishing messages. It works equally well as a standalone email security solution or supercharges your Microsoft 365 and Google Workspace email security.
Kaseya Managed SOC powered by RocketCyber — Our managed cybersecurity detection and response solution is backed by a world-class security operations center that detects malicious and suspicious activity across three critical attack vectors: endpoint, network and cloud.
Datto EDR — Detect and respond to advanced threats with built-in continuous endpoint monitoring and behavioral analysis to deliver comprehensive endpoint defense (something that many cyber insurance companies require).
Vonahi Penetration Testing – How sturdy are your cyber defenses? Do you have dangerous vulnerabilities? Find out with vPenTest, a SaaS platform that makes getting the best network penetration test easy and affordable for internal IT teams.
Learn more about our security products, or better yet, take the next step and book a demo today!