Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Third-Party Breaches: Risk in the Supply Chain

Upstream and Downstream Risk in the Supply Chain

by Laura Hiserodt , Staff Writer
Published

According to CrowdStrike, 84% of leaders believe that software supply chain attacks could become one of the biggest cyber threats to organizations like theirs within the next three years. Despite this, 50% of organizations find monitoring third parties draining on their resources.

Managing third-party risk requires an in-depth understanding of your vendor network and its security. A chain is only as strong as its weakest link, meaning to defend your entire attack surface, you must ensure all your vendors share your values when it comes to robustly managing cyber risk. 

Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individual’s data. To better understand the scope of third-party risk, Resilience’s Global Head of Claims, Tom Egglestone, suggests that companies can categorize potential threats as upstream and downstream. Upstream indicates when the breach comes from a third-party supplier, data transfer system, or other partners in the supply chain. Downstream indicates when you are breached, and your client network becomes at risk. 

Upstream Third-Party Breaches  

Infiltrating the systems of an upstream vendor in the supply chain with the intent of gaining broader access to client systems or data is a threat tactic that is growing more common. These third-party attacks offer access to mass amounts of data and increase the likelihood that the data exfiltrated will be valuable and provoke ransom payment. According to the 2023 Thales Cloud Security Study, 39% of organizations surveyed reported experiencing a data breach in their cloud environment in the past year, up 4% from 2022.

Because of the expansive access to secondary victims offered through third-party breaches, large data servers, Cloud services, and SaaS providers are becoming massive targets for vendor breaches. Supply chain attacks help adversaries scale their operations by taking advantage of the trusted position of vendors to turn one breach into multiple incidents. This is a particularly effective tactic in a post-pandemic world where companies have invested more and more heavily in SaaS and Cloud-based products and tools to support remote working. The MOVEit breaches of Q2 2023 saw this supply chain-style attack matched with encryption-less and multiple-extortion ransomware tactics. When the Russian-based ransomware group CL0P accessed a vulnerability in MOVEit, Progressive Software’s transfer product, they gained access to data that allowed them to impact millions of individuals and hundreds of organizations around the world. 

Resilience’s ransomware incident response partner Coveware reported a record low rate of ransomware payment at 34% over the first half of 2023. As victims of ransomware grow more resilient to making extortion payments, threat actors are shifting tactics to go after as many pockets as possible while minimizing their efforts. “Threat actor’s entire mode of operation supports quick adaptation in the face of security safeguards,” said Tom Egglestone, Global Head of Claims at Resilience. “The shift to encryption-less and third-party ransom attacks demonstrates how threat actors are always looking for new ways to bypass security controls, especially in the face of declining ransom payments.”  

Downstream Third-Party Breaches: When Your Client Network is at Risk  

Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individuals’ data. So, what happens when you are at the top of that food chain? When a supplier, manufacturer, business partner, or other upstream vendor is hit with a data breach, every client network that they interact with becomes at risk. Downstream third-party breaches can devastate the reputation of the initially impacted organization. Being at the top of a vendor breach is not only a massive financial burden but can also be disastrous for your organization’s reputation. 

Consider the MOVEit breaches again– despite the hundreds of high-profile organizations who realized millions more in financial losses, it is the MOVEIt Transfer System we remember as the culprit of the breach. Aside from the cost of making extortion payments, victims of MOVEit also experienced numerous incident response, business interruption, and data recovery costs, not to mention the very real risk of reputational damage and potential legal and regulatory repercussions. 

“Managing a cyber incident following a security breach is already a significant burden on an affected company, but this situation becomes even more complicated if your clients or partners are also impacted,” said Egglestone. “Organizations who are entrusted with large amounts of sensitive data are huge targets for threat actors and stand to incur losses to their business way beyond a potential ransom payment, be that income loss or the costs to restore affected systems.” 

Incident Best Practices

According to a report by Statista, supply chain attacks grow 235% year over year. Now more than ever, it is imperative to take the necessary steps to protect your third-party attack surface. The most important of these steps is gaining visibility into your vendors. “Vendor breach prevention relies on auditing the data stored with each vendor,” said Egglestone. “Always keep track of the access each vendor has to your systems and any vulnerabilities that may exist through that sharing of data. Consider their readiness for an event, their insurance coverage, security protocols, track record with cyber incidents, financial resources, business continuity plans, and more.” 

At Resilience, we give clients the tools to interview vendors through comprehensive risk management questionnaires that address security and insurance protocols in alignment with your unique requirements. Through our holistic cyber risk management platform, we offer a Vendor Risk Management Guide that helps our clients better manage their vendors through proposed tactics, guidelines, and more. We also offer State of Your Vendor’s Risk reports for up to fifteen key vendors that detail their most relevant threats, remediation strategies, and background on their risk posture. 

Our Vendor Risk Management tools and guides encourage collaboration across cybersecurity, insurance, and financial leadership by offering the data and analytics to coordinate strategies and resolve incidents without impacting business value. 

“Whether you’re defending your own environment to prevent a downstream incident or carefully selecting a vendor network to protect yourself from an upstream third-party breach, Resilience has the tools to gain visibility into your attack surface and contextualize what that risk means for you,” said Egglestone. “The Resilience solution is designed to holistically manage all kinds of third-party risk through advanced tools, human-in-the-loop expertise, and more.”

About the Author
Laura Hiserodt , Staff Writer

Laura is a content writer at Resilience. Though new to the cybersecurity industry, she works closely with our most tenured experts to produce well-researched and informative content for Resilience’s blogs, reports, and more. She holds a BA in English and Business Marketing from University of Colorado, Boulder.

You might also like

Resilience Threat Researchers Identify New Campaigns from Scattered Spider

Following their attacks on MGM and Caesars’ casinos, threat actor group Scattered Spider is believed to be behind attacks on multiple companies in the finance and insurance industries. Using convincing lookalike domains and login pages as well as efficiently timed attacks, the group is aggressively targeting a wider array of companies. We have also observed […]

Breach and Attack Simulations: A Proactive Approach to Loss Prevention 

Today’s CISOs and risk managers need to see around corners to proactively reduce risks before they turn into losses. Increasingly, CISOs also answer directly to the board of directors. No matter how tight you think your controls are or how big your budget is, I promise you things are happening in your environment that you […]

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer.  The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access […]

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]