Risks of Poor Cybersecurity: Supply Chain Attacks and Third-Party Risks (With Example and Stats)

One example of the risks associated with poor cyber security is the increased vulnerability to supply chain attacks and third-party risks. In today’s interconnected digital landscape, organizations often rely on a complex network of suppliers, vendors, and third-party service providers to support their operations. However, if proper cyber security measures are not in place, these relationships can become potential points of entry for malicious actors.

A supply chain attack occurs when an attacker targets a trusted supplier or vendor to gain unauthorized access to the target organization’s systems or data. By infiltrating a vulnerable third party, hackers can exploit weaknesses in the supply chain to distribute malware, compromise sensitive information, or disrupt operations. This can have far-reaching consequences, including financial losses, reputational damage, and regulatory non-compliance.

Third-party risks also arise when organizations entrust sensitive data or critical operations to external parties. Without adequate cybersecurity practices, the third party may inadvertently expose the data to unauthorized access or fail to implement robust security measures, putting the organization’s information at risk. This can lead to data breaches, loss of intellectual property, or regulatory violations.

To mitigate these risks, organizations must prioritize cybersecurity throughout their supply chains and engage in thorough due diligence when selecting and managing third-party relationships. Implementing stringent security requirements, conducting regular audits, and maintaining open lines of communication with suppliers and vendors are crucial steps to ensure a secure and resilient ecosystem.

By addressing supply chain attacks and third-party risks, organizations can protect their assets, maintain trust, and safeguard their overall cybersecurity posture.

Statistics illustrating the risks organizations face when proper cybersecurity measures are not in place within their supply chain and third-party relationships.

  1. SolarWinds Supply Chain Attack:
    In December 2020, a highly sophisticated supply chain attack was discovered, targeting SolarWinds, a prominent IT management software provider. The attack resulted in the compromise of SolarWinds’ software update system, allowing hackers to distribute a malicious software update to thousands of organizations, including government agencies and major corporations.
  2. Target Data Breach:
    In 2013, Target, a renowned retail company, suffered a massive data breach that compromised the personal and financial information of approximately 41 million customers. The breach originated from a third-party HVAC vendor that had access to Target’s network. Hackers exploited vulnerabilities in the vendor’s system, allowing them to infiltrate Target’s network and steal sensitive data.
  3. Ponemon Institute Study:
    According to a study conducted by the Ponemon Institute, 56% of organizations have experienced a data breach caused by a third-party vendor. Furthermore, the study revealed that the average cost of a data breach resulting from a third party was $4.29 million.
  4. Verizon Data Breach Investigations Report:
    According to the Verizon Data Breach Investigations Report, third-party breaches accounted for 39% of data breaches in 2020. This statistic highlights the significance of managing third-party risks and the potential impact on overall cybersecurity.

These examples and statistics emphasize the critical importance of implementing robust cybersecurity measures within supply chains and third-party relationships. Organizations must prioritize due diligence, conduct thorough risk assessments, and establish clear security requirements to protect against potential vulnerabilities and mitigate the risks associated with malicious actors targeting trusted partners.

Next I researched about each of them.

1. SolarWinds Supply Chain Attack 2020

The SolarWinds supply chain attack, also known as the SolarWinds Orion breach, is a notable cybersecurity incident that came to light in December 2020. Here are some additional details about the SolarWinds supply chain attack:

  1. Breach Details: The attack involved compromising SolarWinds, a leading provider of network management software. Hackers gained unauthorized access to SolarWinds’ software build environment and injected a backdoor into a software update for their Orion platform. This allowed them to distribute the compromised update to thousands of SolarWinds customers.
  2. Scope and Impact: The attack affected numerous organizations, including government agencies, corporations, and critical infrastructure providers around the world. The exact number of impacted entities is difficult to determine, but it is believed to be in the thousands. Notable victims included U.S. government departments, Fortune 500 companies, and security firms.
  3. Advanced Persistent Threat (APT): The attack was carried out by a highly sophisticated threat actor believed to be affiliated with Russian state-sponsored hackers. The campaign involved careful planning, extensive reconnaissance, and stealthy actions, indicating the work of a skilled and patient APT group.
  4. Supply Chain Compromise: The attackers exploited the trust and reliance placed on SolarWinds’ software updates to breach the targeted organizations. By compromising a trusted supplier and injecting malicious code into legitimate software updates, they were able to gain persistent access to victim networks, exfiltrate data, and potentially conduct further malicious activities.
  5. Investigation and Response: The breach triggered a large-scale investigation involving government agencies, cybersecurity firms, and private sector organizations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) played a key role in coordinating response efforts and providing guidance to affected entities. Steps were taken to remove the malicious code, patch affected systems, and enhance cybersecurity measures to prevent future supply chain attacks.
  6. Implications and Lessons Learned: The SolarWinds attack exposed the vulnerabilities and risks associated with the software supply chain. It underscored the importance of robust security measures, continuous monitoring, and threat intelligence sharing to detect and respond to such attacks. The incident also prompted organizations to reassess their supply chain risk management practices and implement stronger controls and verifications.

The SolarWinds supply chain attack serves as a wake-up call for organizations to enhance their cybersecurity defenses, particularly in relation to third-party software and supply chain security. It highlights the need for increased vigilance, threat intelligence sharing, and proactive measures to detect and mitigate supply chain vulnerabilities.

2. Target data breach 2013 | Target data breach details

The Target data breach that occurred in 2013 is one of the most significant cyberattacks in recent history, showcasing the potential consequences of poor cybersecurity within the supply chain. Here are some additional details about the Target data breach:

  1. Breach Details: The breach involved the theft of credit and debit card information from approximately 41 million customers. Hackers gained access to Target’s network by exploiting vulnerabilities in a third-party HVAC vendor’s system. The attackers installed malware on point-of-sale (POS) systems, which allowed them to intercept customer payment card data during transactions.
  2. Duration and Discovery: The breach took place during the busy holiday shopping season, starting from late November 2013 and continuing until mid-December 2013. Target first became aware of suspicious activity after being alerted by federal authorities and subsequently launched an internal investigation, which confirmed the breach.
  3. Impact: The breach had far-reaching consequences for Target and its customers. It led to significant financial losses, estimated to be over ### $250 million for Target, including expenses related to remediation, legal settlements, and regulatory penalties. Additionally, the reputational damage suffered by Target was substantial, impacting customer trust and loyalty.
  4. Response and Lessons Learned: Following the breach, Target took immediate steps to enhance its cybersecurity practices. They invested heavily in cybersecurity infrastructure, implemented stricter access controls, increased network monitoring, and improved incident response capabilities. The incident served as a wake-up call for organizations across industries to prioritize cybersecurity and heighten their focus on supply chain vulnerabilities.

The Target data breach serves as a stark reminder of the critical importance of securing the supply chain and maintaining strong cybersecurity practices. It highlights the need for organizations to assess the security posture of their third-party vendors, conduct regular audits, and ensure proper security controls are in place throughout the supply chain to protect against potential breaches and safeguard sensitive customer information.

3. Ponemon Institute Study

The Ponemon Institute has conducted several studies focusing on cybersecurity and third-party risks. Here are some additional details about their studies and relevant statistics:

  1. Ponemon Institute Study: In a study titled “Data Risk in the Third-Party Ecosystem,” the Ponemon Institute examined the risks and impacts associated with third-party breaches. The study surveyed over 1,000 IT and security professionals from various organizations.
  2. Third-Party Breach Statistics: According to the Ponemon Institute study, 56% of organizations surveyed reported experiencing a data breach caused by a third-party vendor. This highlights the prevalence and significance of third-party breaches in today’s digital landscape.
  3. Average Cost of Third-Party Breaches: The study also revealed that the average cost of a data breach resulting from a third-party vendor was $4.29 million. This figure includes expenses related to detection, response, notification, legal settlements, and reputational damage.
  4. Factors Contributing to Third-Party Breaches: The study identified several factors that contribute to third-party breaches. These include inadequate due diligence when assessing third-party security practices, insufficient oversight and monitoring of third-party activities, and lack of contractual obligations for maintaining robust security controls.
  5. Importance of Security Practices: The study emphasized the importance of implementing strong security practices throughout the supply chain. It highlighted the need for organizations to assess the security posture of their third-party vendors, conduct regular audits, and establish clear security requirements to mitigate the risk of third-party breaches.

These statistics from the Ponemon Institute study underline the critical nature of third-party risks and the potential financial and reputational impact of such breaches. They emphasize the importance of thorough due diligence, robust security controls, and effective oversight when engaging with third-party vendors and partners.

Please note that specific statistics and findings from the Ponemon Institute may vary across different studies and reports they have conducted over the years. For the most up-to-date and detailed information, I recommend referring directly to the Ponemon Institute’s publications and research on third-party risks and cybersecurity.

4. Verizon Data Breach Investigations Report (DBIR)

When it comes to the risks of poor cybersecurity, supply chain attacks and third-party risks are significant factors to consider. The Verizon Data Breach Investigations Report (DBIR) provides valuable insights and statistics on these areas:

  1. Supply Chain Attacks: According to the DBIR, supply chain attacks are a concerning threat. They involve exploiting vulnerabilities in the software supply chain to gain unauthorized access to organizations’ networks. These attacks accounted for a notable percentage of breaches analyzed in the report.
  2. Third-Party Involvement: The DBIR emphasizes the role of third parties in data breaches and incidents. It highlights how compromises in third-party systems and vendor-related vulnerabilities can create cybersecurity risks for organizations. The report explores the impact of these risks and provides insights into mitigating measures.
  3. Financial Impact: While specific statistics from the DBIR may vary, poor cybersecurity in supply chains and third-party relationships can lead to significant financial consequences. Data breaches resulting from such risks can incur substantial costs, including expenses related to incident response, remediation, legal settlements, and reputational damage.
  4. Regulatory Compliance: Organizations that fail to effectively manage third-party risks may face compliance challenges. Regulations like the GDPR impose substantial fines for data breaches involving third-party vendors, highlighting the importance of maintaining robust cybersecurity practices.
  5. Reputational Damage: A supply chain attack or third-party breach can severely damage an organization’s reputation. Studies have shown that customers may reconsider their loyalty and take their business elsewhere if a company fails to adequately protect their data.

The Verizon DBIR offers a wealth of insights into these risks, providing actionable information to enhance cybersecurity defenses. For the most accurate and up-to-date statistics and findings, it’s recommended to refer directly to the official report from Verizon, available on their website or through reputable cybersecurity sources.”

Couple of statistics related to the risks of poor cybersecurity, specifically focusing on supply chain attacks and third-party risks:

  1. Supply Chain Attacks:
    • According to the 2021 Verizon Data Breach Investigations Report (DBIR), supply chain attacks accounted for 18% of all breaches analyzed in the study.
    • The Ponemon Institute’s study on supply chain risks found that 59% of surveyed organizations experienced a data breach caused by a third-party vendor, which often involved a supply chain attack.
  2. Financial Impact:
    • The average cost of a data breach caused by a third-party vendor is estimated to be $4.29 million, as reported by the Ponemon Institute.
    • In the SolarWinds supply chain attack, the estimated financial impact on affected organizations, including remediation and other related costs, was reported to be in the hundreds of millions of dollars.
  3. Regulatory Compliance:
    • Organizations that fail to adequately manage third-party risks may face significant regulatory consequences. For instance, under the EU General Data Protection Regulation (GDPR), companies can be fined up to 4% of their annual global turnover or €20 million (whichever is higher) for data breaches involving third-party vendors.
  4. Reputational Damage:
    • The reputational damage resulting from a supply chain attack or third-party breach can be severe. According to a survey by Deloitte, 90% of consumers indicated they would consider taking their business elsewhere if a company they interacted with experienced a data breach.

These statistics highlight the real-world impact of poor cybersecurity practices, particularly in relation to supply chain attacks and third-party risks. They underscore the financial, regulatory, and reputational consequences that organizations may face when proper cybersecurity measures are not in place within their supply chain and third-party relationships.

POSTED IN: Computer Security, Cyber Security, Glossary