According to CrowdStrike, 84% of leaders believe that software supply chain attacks could become one of the biggest cyber threats to organizations like theirs within the next three years. Despite this, 50% of organizations find monitoring third parties draining on their resources.
Managing third-party risk requires an in-depth understanding of your vendor network and its security. A chain is only as strong as its weakest link, meaning to defend your entire attack surface, you must ensure all your vendors share your values when it comes to robustly managing cyber risk.
Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individual’s data. To better understand the scope of third-party risk, Resilience’s Global Head of Claims, Tom Egglestone, suggests that companies can categorize potential threats as upstream and downstream. Upstream indicates when the breach comes from a third-party supplier, data transfer system, or other partners in the supply chain. Downstream indicates when you are breached, and your client network becomes at risk.
Upstream Third-Party Breaches
Infiltrating the systems of an upstream vendor in the supply chain with the intent of gaining broader access to client systems or data is a threat tactic that is growing more common. These third-party attacks offer access to mass amounts of data and increase the likelihood that the data exfiltrated will be valuable and provoke ransom payment. According to the 2023 Thales Cloud Security Study, 39% of organizations surveyed reported experiencing a data breach in their cloud environment in the past year, up 4% from 2022.
Because of the expansive access to secondary victims offered through third-party breaches, large data servers, Cloud services, and SaaS providers are becoming massive targets for vendor breaches. Supply chain attacks help adversaries scale their operations by taking advantage of the trusted position of vendors to turn one breach into multiple incidents. This is a particularly effective tactic in a post-pandemic world where companies have invested more and more heavily in SaaS and Cloud-based products and tools to support remote working. The MOVEit breaches of Q2 2023 saw this supply chain-style attack matched with encryption-less and multiple-extortion ransomware tactics. When the Russian-based ransomware group CL0P accessed a vulnerability in MOVEit, Progressive Software’s transfer product, they gained access to data that allowed them to impact millions of individuals and hundreds of organizations around the world.
Resilience’s ransomware incident response partner Coveware reported a record low rate of ransomware payment at 34% over the first half of 2023. As victims of ransomware grow more resilient to making extortion payments, threat actors are shifting tactics to go after as many pockets as possible while minimizing their efforts. “Threat actor’s entire mode of operation supports quick adaptation in the face of security safeguards,” said Tom Egglestone, Global Head of Claims at Resilience. “The shift to encryption-less and third-party ransom attacks demonstrates how threat actors are always looking for new ways to bypass security controls, especially in the face of declining ransom payments.”
Downstream Third-Party Breaches: When Your Client Network is at Risk
Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individuals’ data. So, what happens when you are at the top of that food chain? When a supplier, manufacturer, business partner, or other upstream vendor is hit with a data breach, every client network that they interact with becomes at risk. Downstream third-party breaches can devastate the reputation of the initially impacted organization. Being at the top of a vendor breach is not only a massive financial burden but can also be disastrous for your organization’s reputation.
Consider the MOVEit breaches again– despite the hundreds of high-profile organizations who realized millions more in financial losses, it is the MOVEIt Transfer System we remember as the culprit of the breach. Aside from the cost of making extortion payments, victims of MOVEit also experienced numerous incident response, business interruption, and data recovery costs, not to mention the very real risk of reputational damage and potential legal and regulatory repercussions.
“Managing a cyber incident following a security breach is already a significant burden on an affected company, but this situation becomes even more complicated if your clients or partners are also impacted,” said Egglestone. “Organizations who are entrusted with large amounts of sensitive data are huge targets for threat actors and stand to incur losses to their business way beyond a potential ransom payment, be that income loss or the costs to restore affected systems.”
Incident Best Practices
According to a report by Statista, supply chain attacks grow 235% year over year. Now more than ever, it is imperative to take the necessary steps to protect your third-party attack surface. The most important of these steps is gaining visibility into your vendors. “Vendor breach prevention relies on auditing the data stored with each vendor,” said Egglestone. “Always keep track of the access each vendor has to your systems and any vulnerabilities that may exist through that sharing of data. Consider their readiness for an event, their insurance coverage, security protocols, track record with cyber incidents, financial resources, business continuity plans, and more.”
At Resilience, we give clients the tools to interview vendors through comprehensive risk management questionnaires that address security and insurance protocols in alignment with your unique requirements. Through our holistic cyber risk management platform, we offer a Vendor Risk Management Guide that helps our clients better manage their vendors through proposed tactics, guidelines, and more. We also offer State of Your Vendor’s Risk reports for up to fifteen key vendors that detail their most relevant threats, remediation strategies, and background on their risk posture.
Our Vendor Risk Management tools and guides encourage collaboration across cybersecurity, insurance, and financial leadership by offering the data and analytics to coordinate strategies and resolve incidents without impacting business value.
“Whether you’re defending your own environment to prevent a downstream incident or carefully selecting a vendor network to protect yourself from an upstream third-party breach, Resilience has the tools to gain visibility into your attack surface and contextualize what that risk means for you,” said Egglestone. “The Resilience solution is designed to holistically manage all kinds of third-party risk through advanced tools, human-in-the-loop expertise, and more.”
