What is the Difference Between Third Party Risk and Supply Chain Risk?

---

See real-life examples of third party risk and supply chain risk

---

In today’s hyper-connected digital world, with cyberattacks becoming more sophisticated and prevalent, businesses face an ever-growing threat landscape. As organizations increasingly rely on external partners and vendors for various services, understanding and managing cyber-risks has become paramount. One growing category of cyber trouble that businesses face is cyber risk from outside the organization, typically called third-party cyber risk and supply chain cyber risk. While the terms may seem interchangeable, they encompass distinct challenges and considerations that demand careful attention. 

---

Excerpted in part from The Comprehensive Guide to Third Party and Supply Chain Risk DOWNLOAD IT>>

---

What is the difference between third-party risk and supply chain risk? 

---

These two terms are often used interchangeably across industries, but doing so can be misleading when getting into the specifics of cybersecurity. Although third-party and supply chain risks are related concepts — and share the same business-destroying ingredients — they have distinct meanings.  

---

Third-party risks  

---

This category includes risks created by entities that a business is not directly purchasing from or selling to. Third-party risks are presented by actors that may have a direct or indirect influence on your business’s IT environment. Managing such risks involves the assessment of a third party’s cybersecurity practices and vulnerabilities to create and implement effective security strategies. Some examples include: 

• Government agencies 
• A service provider’s connections 
• Apps that employees download 
• Open-source software or tools 
• Freemium-as-a-Service 

---

Supply chain risks 

---

A much broader category, supply chain risk encompasses the risks associated with your entire value chain. Distinctly separate from third party risk, this category includes entities involved in the production and distribution of goods and services at any given level. Such risks can lead to a variety of cybersecurity issues, like breaches, data leaks or cyberattacks, via weaknesses or compromises in the products, software or services provided by your suppliers and partners. Some examples include: 

• Manufacturers 
• HR service providers, like payroll management 
• Distributors and vendors 
• Customers 
• Contractors 

---

---

Common characteristics of third party attacks and supply chain attacks 

---

Every business relies on suppliers and service providers, so every organization could be vulnerable to a third party attack or a supply chain attack even when its own defenses are good. While no two cyberattacks are exactly the same, third party attacks and supply chain attacks tend to share these common markers: 

Malware infection: Cybercriminals use malware in the form of spyware, viruses, worms and Trojan horses to gain access to a supplier’s systems. Once they have access to the systems, they modify the third party code sources their target customers use to gain entry into their systems. Threat actors primarily use phishing emails to inject malware.  

Social engineering: Social engineering is another technique that starts with a phishing email. In this technique, cybercriminals use evasive social engineering lures to trick users into divulging their credentials, like usernames and passwords. Once they get hold of the credential data, they sneak into the company’s system and launch the attack.   

Software vulnerability: Unpatched software is the easiest target for adversaries to breach an organization’s systems and a common exploit in third party attacks and supply chain attacks. This vector of attack is epecially insidious because it can erode customer confidence in software providers on whom organizations depend for security updates. 

Brute force attacks: In brute force third party attacks or supply chain attacks, cybercriminals use trial and error hacking methods to crack passwords, login credentials and encryption keys. It is a common technique to gain unauthorized access to user credentials and organizations’ systems and networks. 

---

---

Every relationship increases a company’s risk of trouble 

---

A cybersecurity nightmare that results from a third party data breach or supply chain data breach can happen to any organization — from massive corporations to the smallest of businesses — through no fault of your own. Every week, we report on those incidents in The Week in Breach. As these examples drawn from our reporting demonstrate, it’s essential that every organization be prepared for unexpected risks and develop cyber resilience to blunt the impact of another company’s data breach. 

---

Tesla and Visser 

---

When the DoppelPaymer ransomware gang launched a successful attack against precision aerospace parts manufacturer Visser, they didn’t just get that company’s sensitive data. The gang also scored sensitive data about Visser’s clients, including Tesla, Space X, Boeing and Lockheed Martin. The stolen records contained correspondence, non-disclosure agreements and even partial schematics. 

---

The National Trust (UK) and Blackbaud 

---

In a breach that reverberated around the world, more than 170 foundations, charitable organizations, schools and medical systems, including the UK National Trust, were impacted by a data theft incident that occurred as part of a ransomware attack at cloud computing provider Blackbaud. In some cases, sensitive information was exposed, like donor lists and records, leading to a ripple effect of trouble across many organizations. 

---

---

GitHub and its 100+ million users 

---

GitHub is Microsoft’s open-source code repository that over 100 million developers rely on for software development and collaboration. The supply chain attack was discovered on August 3, 2022, as hackers cloned and added malicious code to over 35,000 GitHub repositories. However, the bad actors sneakily retained the code’s original source code to make it easier for them to evade detection. Around 13,000 repositories from one spoofed organization, Red Hat OpenShift Ecosystem, were affected. Using a combination of spoofing techniques and malicious code that could download malware from third-party sites, the hackers could gain unauthorized access to a developer’s applications and IT environments. 

---

MOVEit Transfer and Zellis 

---

Zellis, a payroll and HR services company based out of the United Kingdom, was at the heart of one of the early instances of the MOVEit Transfer supply chain attack. Zellis works with numerous Financial Times Stock Exchange (FTSE) 100 companies and maintains access to the financial and personally identifiable information (PII) of thousands of employees within each client organization. Cl0p leaked information, like employee names, dates of birth, home addresses, salaries, and worst of all, banking information. TechCrunch reported that by the end of 2023, the MOVEit vulnerability cost businesses over $9.9 billion.

---

---

Kaseya ‘s Security Suite Helps Businesses Mitigate All Types of Cyber Risk Affordably

---

Third party attacks and supply chain attacks are expected to be a continued problem for businesses as the world grows more interconnected and cybercriminals look for new ways to conduct successful cyberattacks. It is essential for businesses to take action now to ensure that they are ready for today’s sophisticated cyberattacks and building on a strong foundation of cyber resilience to be prepared for the next generation of cyber threats. 

Kaseya’s Security Suite has the tools that MSPs and IT professionals need to mitigate third party risk and supply chain risk effectively and affordably, featuring automated and AI-driven features that make IT professionals’ lives easier.  

BullPhish ID — This effective, automated security awareness training and phishing simulation solution provides critical training that improves compliance, prevents employee mistakes and reduces a company’s risk of being hit by a cyberattack.     

Dark Web ID — Our award-winning dark web monitoring solution is the channel leader for a good reason: it provides the greatest amount of protection around with 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.    

Graphus — Automated email security is a cutting-edge solution that puts three layers of AI-powered protection between employees and phishing messages. It works equally well as a standalone email security solution or supercharges your Microsoft 365 and Google Workspace email security.      

Kaseya Managed SOC powered by RocketCyber — Our managed cybersecurity detection and response solution is backed by a world-class security operations center that detects malicious and suspicious activity across three critical attack vectors: endpoint, network and cloud.      

Datto EDR — Detect and respond to advanced threats with built-in continuous endpoint monitoring and behavioral analysis to deliver comprehensive endpoint defense (something that many cyber insurance companies require).      

Vonahi Penetration Testing – How sturdy are your cyber defenses? Do you have dangerous vulnerabilities? Find out with vPenTest, a SaaS platform that makes getting the best network penetration test easy and affordable for internal IT teams.   

Learn more about our security products, or better yet, take the next step and book a demo today!

---

---

---

---