The Underestimated Cyber Threat: Anticipating and Combatting Supply Chain Attacks

By Prasad Sabbineni, Co-Chief Executive Officer at MetricStream

Cybersecurity threats are multi-faceted, often connected, and accelerating fast. Ransomware, nation-state attacks, employee errors, and third parties – all pose risks for enterprises seeking to safeguard their organizations and customers from cyber attacks and the resulting consequences.

One particularly insidious threat is the supply chain attack. Particularly in today’s interconnected, digital world that favors diverse sourcing, supply chains are increasingly vulnerable to cyber breaches. Even a seemingly small entry point – say, an outdated password on a legacy system – can open the door to massive havoc that can impact and even shut down an entire business.

What is a Supply Chain Attack and How Do They Happen?

A supply chain attack is an orchestrated strike by cybercriminals to find and take advantage of vulnerabilities in the connected network of suppliers, vendors, and contractors that support an organization’s operations – sometimes called the extended enterprise, or the 3rd/nth parties.

Bad actors use a “back door” approach by targeting these downstream suppliers or third parties with the goal of getting to the ultimate organization. Usually, the ultimate target is larger or more desirable and theoretically harder to breach. By using the smaller or less protected supplier, hackers can gain access through malware or other malicious code, such as viruses, ransomware, or other programs designed to steal data or disable systems.

SolarWinds, for example, was hit via a devastating attack on a software supplier impacted numerous organizations, including government agencies. Another would be the attack Log4j was dealt due to a vulnerability in a widely used open-source logging library that exposed many organizations to potential attacks. There are countless other examples over the years, and hackers have only become smarter especially as supplier networks have continued to multiply exponentially due to the many benefits they bring to an organization.

Vulnerabilities are on the rise, too: up 180% from 2022 to 2023, according to Verizon’s 2024 Data Breach Investigations Report. The same report shows vulnerability exploitation of web applications specifically represented roughly 20% of data breaches, with VPN vector exploitations expected to take up an increasing share by 2025.

Assessing the Impacts of Supply Chain Attacks

A supply chain data breach has obvious immediate implications: compromised data, the potential need to shut down systems, the cost of remediation and recovery, and the likely decline of customer trust.

Longer-term implications include financial losses, reputational damage, regulatory penalties, and operational disruptions. In industries such as healthcare or critical infrastructure, where safety is paramount, the consequences can even become life-threatening.

Supply chain attacks also have a “ripple effect”: rarely is just one supplier impacted. Think of the chip shortage in 2023. While not the result of a data breach, Tesla was severely impacted in 2023.

Strategies to Stay Ahead of Supply Chain Attacks

To stay ahead of cyber attacks, including supply chain attacks, organizations must carefully manage their cyber and IT risk as part of coordinated risk strategy that includes:

• Vetting and monitoring of third parties: All third parties, including suppliers, vendors, and contractors, must be assessed when onboarding to understand their security posture and risk management practices. Ongoing monitoring is a must for continued due diligence and alerting to potential security issues. And ensure you have a robust program for offboarding third parties and suppliers. Old credentials provide an easy entry for malicious actors.
• Enterprise-wide risk assessment: Connect risk data across divisions and globally for a complete view of risk. Use autonomous monitoring to detect potential risks and control failures to prevent malicious entry.
• Incident preparedness: Tailor incident response plans to identify and monitor the critical suppliers in the supply chain. Ensure coordinated efforts are in place to effectively respond to security incidents. Most critically, protecting against supply chain attacks requires proactive collaboration, coordination and communication.

Why Short-Term and Long-Term Risk Management Matter

Cyber risk management is essential because cyber threats are accelerating along with vulnerabilities, and organizations can’t afford to be complacent.

Consequences of lackadaisical risk management include immediate impacts of a breach – lost data, downtime, and costs of remediation – as well as longer-term consequences.

Brand reputation and competitiveness are at stake, as are relationships with other suppliers. Regulatory repercussions are real, especially with the advent of resilience legislation like the EU’s Digital Operational Resilience Act (DORA) and the SEC’s Cybersecurity Rule, both of which come with stringent consequences for not managing and reporting cyber attacks.

Finally, risk leaders can even be held personally accountable for the consequences of attacks. CISOs are the most obvious candidate, but Chief Compliance Officers also may be liable. And even non C-level leaders may not be exempt.

Stay Prepared – And Stay Ahead of Risk

With interconnected risks growing fast and technologies like AI making bad actors even smarter, the stakes in cyber risk have never been higher. Proactive, collaborative cyber risk management can’t completely prevent cyber and supply chain attacks, but it can empower organizations with agility and resilience to lessen their inevitability – and rebound with confidence.