Are cyberattacks against supply chains inevitable? The bad news: Yes. The good news: While it may not be possible to prevent all supply chain cyberattacks, the risk and impact can be potentially managed and minimized.
A supply chain attack is when an attacker gains access to your data through one of your vendors or partners. These types of attacks present cyberattackers with enormous opportunities for exploitation. A successful attack against even a single vendor or supplier can yield sensitive data across multiple organizations.
700
organizations were affected by third-party/supply chain compromises in 2020
42m
individuals impacted by third-party/supply chain compromises in 2020
39%
of global business leaders believe supply chain partners pose a high/somewhat high risk to their oganization
43%
of leaders who report no confidence in their ability to prevent third-party cyber threats
430%
increase in attacks against the software supply chain between 2019 and 2020
A digital supply chain can be defined as:
These two definitions overlap, as almost all supply chains can be considered digital — and third-party technology vendors may supply the technology used in the digital supply chain.
It’s thus important to understand your vendor ecosystem and how they support your digital supply chain. Do you know who provides the digital products and services on which your company relies? Or any critical products/services, for that matter?
As you look deeper into your digital supply chain, consider potential risks from:
The larger your ecosystem is, the bigger your attack surface and potential vulnerabilities are.
Many organizations struggle to understand their complex digital supply chains and the myriad vendor relationships that support their operations — especially those that have access to IT systems and/or data. Regardless of how it’s defined, the expansion of a company’s digital supply chain brings increased cyber risk.
Consider the digital supply chain risks in the following scenarios, where an organization:
As we see more attacks on critical technology vendors and organizations’ digital supply chains, it’s more important than ever to define what is meant by digital supply chain, how the term is understood within your organization, and what types of cyber risks manifest from your critical third-party vendors and digital supply chain.
While supply chain cyberattacks can’t all be prevented, they can be identified and managed to reduce impact. Supply chain resilience can be achieved through identification and understanding of the risks and their potential impact, planning for when an attack happens, and finding the right balance between risk mitigation and risk transfer.
Marsh has helped organizations around the world better understand and manage their supply chain risk. Contact us to learn more.