As all organizations struggle to secure their supply chains, an alarming reality emerges among IT leaders: a significant lack of visibility into third-party access to systems, and widespread incidents of compromise.
Research conducted by CyberRisk Alliance Business Intelligence found that despite recognition by the vast majority (72%) of surveyed IT and security leaders that supply chain visibility is important, only 26% could see the full map of interdependencies across all tiers in their supply chain. Forty-one percent had visibility only on their most critical third–party direct dependencies, while 32% can see a segment of primary third-party dependencies or none at all.
“If the pandemic customer acquisition and retention is vital, we must make sure all our suppliers are doing the right things," said one respondent who is a director of operations in the professional services industry. "If consumers see you are using some shady suppliers they may leave, and that’s what we do not want to happen.”
The new study was based on an online survey conducted in late fall 2021 among 301 IT and cybersecurity decision-makers and influencers who said their organization worked with third-party partners.
Demonstrating the implications of that lack of visibility, 60% of respondents confirmed an IT security incident in the past two years due to a third-party partner with stolen access privileges. The study, which examined the impact of the December 2020 SolarWinds Orion Sunburst supply chain hack on the industry, found that most of the affected companies were likely to have sensitive data stolen or suffered some type of business outage.
While 52% of those who experienced third-party related attacks indicated they lost less than $100,000 in damages, another 45% incurred higher costs, with a few paying $1 million or more. Victims impacted by the SolarWinds attack suffered everything from day-long shutdowns to crucial data leakages.
“Because we are connected to some software companies that use SolarWinds, it led to data losses both in our mailing system and supply chain,” noted one SolarWinds victim in the survey. Others reported system slowdowns, work disruptions, and malware infections from downstream effects.
Other supply chain attacks followed the SolarWinds announcement, most notably the May 2021 ransomware attack on Colonial Pipeline, which disrupted fuel deliveries in the eastern United States, followed by an attack on JBS, which disrupted global meat production. Then came news that the Kaseya IT platform had been compromised, spreading ransomware to customers that included many managed service providers — which expanded the damage to everything from railways to grocery chains. Even the open-source community wasn’t spared, with the late 2021 discovery of a zero-day vulnerability in the Log4j Java library popular with many software developers.
Such incidents create high degree of awareness: 70% of the study’s respondents ranked cyber the No. 1 or No. 2 risk among their third-party-supply chain partners.
Despite challenges from the enhanced threat landscape and managing remote workers through the pandemic, organizations expect to improve their third-party risk management programs in the coming year. Budget spending will increase for nearly half (49%) of all organizations, reflecting the growing importance of better third-party risk management to decrease the chance of a data breach or business disruption because of someone else’s poor security posture.