A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changes the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
The risks associated with a supply chain attack have never been higher, due to new types of attacks, growing public awareness of the threats, and increased oversight from regulators. Meanwhile, attackers have more resources and tools at their disposal than ever before, creating a perfect storm.
Supply chain attack examples
There’s no end to major cyber breaches that were caused by suppliers. The 2014 Target breach was caused by lax security at an HVAC vendor. This year, Equifax blamed its giant breach to a flaw in outside software it was using. It then blamed a malicious download link on its website to yet another vendor.
Then there were the Paradise Papers, over 13 million files detailing offshore tax avoidance by major corporations, politicians, and celebrities. The source? Like last year’s Panama Papers, it was a law firm that was the weakest link.
Scope of supply chain attacks
These aren’t isolated cases. According to a survey conducted in the fall of 2018 by the Ponemon Institute, 56 percent of organizations have had a breach that was caused by one of their vendors. Meanwhile, the average number of third parties with access to sensitive information at each organization has increased from 378 to 471. That number might be a little low. Only 35 percent of companies had a list of all the third parties they were sharing sensitive information with.
Only 18 percent of companies says they knew if those vendors were, in turn, sharing that information with other suppliers. That’s a …