Supply Chain cyber security attacks have been in the news throughout the last 12 months. Latest research suggests 47% of organisations suffered a disruptive outage over the last year from a breach related to a vendor. In this blog post Cyberfort cyber security professionals discuss where organisations need to focus in 2025 to improve their supply chain cyber security strategies and how they can make themselves more resilient to attack.
What are the main types of supply chain cyber security attacks?
From our experience at Cyberfort there are two main different types of supply chain cyber-attack. Both should be considered high risk, although for different reasons. While both meet the definition of supply chain attack (compromising or damaging an organisation by targeting less secure elements in the supply chain) each type of attack typically has different targets and threat actor capabilities and need to be considered when discussing supply chain cyber security.
Software supply chain attack
Where a piece of technology purchased by the organisation is compromised, this is typically not a targeted attack at an individual end user (though in extreme cases it could be) but rather an opportunity to operate a one-to-many breach. This could include activities such as embedding an exploit into the vendors software, this can be used either by the creators of the breach, or by other malicious actors that have purchased the use of the exploit to gain access into organisations that utilise this technology or compromising a third-party data store to gain access to multiple company’s data stored there.
Direct supply chain attack
In the event that a malicious actor wants to gain access to an organisation that is known to have mature processes and cyber security tooling, they may instead seek to compromise a supplier (for example a marketing agency producing the annual report, a cleaning company providing facilities, or a manufacturer making a small part of an overall solution). These attacks are typically more targeted and have specific goals in mind, for example compromising a defence prime through a small manufacturer providing a specialist item – the prime will have stringent controls, monitoring and policies, the sub may well be less mature, or at least there may be some human or system trust as this is a normal way for data and interactions to flow.
Just how big an issue is the threat of cyber-attacks stemming from the supply chain, as a result of an attack on a supplier? Do businesses put enough emphasis on this?
Industry reports suggest software supply chain attacks cost around $46Bn in 2023 and are predicted to increase by 200% in the next decade.
The one-to-many payback approach, and the delay between breach and activity make this an attractive area for malicious actors. Even when made aware of the risk, many businesses have only considered the risk for new procurements and haven’t adopted the same rigour with existing solutions.
Direct supply chain attacks are harder to quantify in a value number, but anecdotally from our incident response activities at Cyberfort around 40% of incidents we’ve dealt with recently have had some element of supply chain compromise. Even if this was simply spear phishing from a company email that worked together with the victim, and hence both technical (e.g. domains were trusted and emails whitelisted) and human (e.g. “I know joe, so of course I’ll click on this link) controls were bypassed.
On a more sophisticated level, we have seen facilities contractors asked to admit individuals, plug in chargers with usb malware in them, and other seemingly harmless activities that underpinned a breach.
What are the main risks here for organisations? How might a cyber-attack on a supplier cause issues for customers?
The risks here are many and varied, any kind of software can have vulnerable exploitability, any service provider can have weaknesses that are exploited, and any subcontractor can be compromised.
The risks range from ransomware and extortion, through data exfiltration and compromise of networks to sensitive data leaks and denial of service – meaning business disruption, reputational damage and regulatory fines are all a potential outcome.
What can organisations do to reduce the risk, both internally and through working with suppliers?
The first stage is to understand the suppliers you have in both areas, their cyber maturity and the requirement for them to disclose incidents. Especially in the case of smaller companies, controls are often lacking and there is too much trust placed in employees, with security being an “add-on” job for IT.
Secondly assess, validate and evidence the controls that your supply chain has in place. A simple way to do this is to assess the access they have to your people and environments, and then insist on similar controls being evidenced. Make this a key component of every procurement, whether software or services.
Additionally, make the disclosure of any cyber security incident within the supplier a contractual obligation. Request evidence of penetration testing, vulnerability management and user awareness training (where you can’t get this data, consider the risk before you purchase). Key steps to reduce supply chain security risks should include:
Create ring fenced and surrounding controls for supply chain access, such as segregated landing zones, highlighting in email messages, and strict policies around supply chain “helping”.
Validate your emergency patching and crisis scenario testing scenarios to include both software supply chain and direct supply chain attacks.
Include suppliers email addresses in your phishing testing, as the senders, get your organisation used to the fact that breaches can (and do) occur this way.
Sign off any new procurements with an individual security assessment, conducted with evidence outside of the procurement team.
What steps should suppliers have in place as a minimum? Should this be part of a due diligence process when selecting and reviewing suppliers?
From our experience at Cyberfort we advise all organisations to take action with the following 8 steps:
Validate your own supply chain, often suppliers and sub suppliers go down in size and hence in cyber maturity.
Ensure your security controls are appropriate for the level of business risk you’re dealing with.
Migrate to SaaS where possible, utilise the security packages for an efficient and effective minimal effort approach to security management.
Validate and evidence the controls that your suppliers have in place, it’s not your effort but hold the supplier to account.
Make sure you have cyber essentials plus.
Keep on top of pen testing and VM (see SaaS point above) and keep track of evidence.
Understand what your customer expects of you in security and compliance, and price this into your solution.
Ask your customer about their controls, likely targets and defences, find a trusted advisor/partner to help you extrapolate this to the threats you are likely to face.
How can organisations go about monitoring suppliers (and the wider supply chain) to reduce the risk that they will be impacted? Can AI help?
The challenge with monitoring suppliers (and there are a number of solutions that purport to do this) is that they are typically focused on either:
Forms completed by the supplier (and the smaller they are, the more likely they are to either deliberately or through a lack of knowledge not be completed correctly).
Systems that look only at external posture. This is important as indicators of risk can be extensive externally but massively reduced through surrounding controls. For example, a supplier having credentials available publicly seems very bad, however if this is mitigated through MFA, security baselines, certificated logins and device management, the potential risk is reduced. Similarly, if a piece of custom software is in use that communicates in an unusual or legacy way, this may not be recognised as a risk.
AI or machine learning can help here but it is not the “silver bullet”. It can help through trend analysis of connections and anomalies for example, but this requires human investigation and analysis of the anomaly.
The best answer is a combination of validated and evidenced checking, standard accreditations (such as cyber essentials plus) automated software where available and in use, controls and mitigations in the customer, and contractual requirements to continue to comply and evidence alignment to the required risk levels. However, this can be an arduous task so this should be combined with appropriate risk governance for every contracted software or purchase, and segmentation, controls and training for the customers networks and resources to identify, report and mitigate the risk.
How might this shape up over the next few years? Is it likely to become more of an issue?
As above this is an attractive area for both mass and targeted attackers. For the financially motivated, the concept of one hit, many scalps is an attractive and lucrative option, and the extended reach of software supply chain breaches will continue to grow.
For the targeted breach, the attraction of a high value asset acquisition in an environment that is tightly controlled without requiring advanced skills and techniques is equally beneficial to the attacker.
The use of AI to target content and attacks that are less direct will be even more prevalent and increasing (for example by using a generative AI to review a compromised mailbox) the attacker could create content that is targeted to the sender and recipients conversation styles, abbreviations and specific circumstances without a requirement for human intervention. This type of attack is difficult to detect, train and police. As mentioned above, often relationships with very small or transactional suppliers are driven by lowest cost, which can lead to the temptation to cut corners on both the customer and suppliers’ side.
For more information about our Supply Chain Cyber Security Services, please contact us at [email protected]
