Why Supply Chains are So Vulnerable to Hacks

August 04, 2021//Isa Jones

Last Updated: October 26, 2021

When it comes to supply chain hacks, it’s not a matter of if, it’s a matter of when your organization will be hacked. Attacks on critical infrastructure and systems are on the rise, and with hackers gaining skill and in some cases getting paid out through ransomware attacks, that trajectory is only headed upwards.

What constitutes a supply chain hack? 

When infrastructure is attacked, it is known as a supply chain hack. This attack happens when a bad actor infiltrates a system through an outside vendor or provider that has access to systems and networks. In other words, a bad actor gains access to a third-party vendor’s access point and then has the ability to get in and wreak havoc on critical infrastructure. The SolarWinds hack in 2020 was exactly that — hackers got inside the development operations of SolarWinds and managed to insert malware inside a software update that was distributed by the company in March. SolarWinds is a third-party vendor to a variety of government organizations, so the malware disrupted the Treasury Department, the Pentagon, the Commerce Department, and more. According to a 2019 Ponemon Institute report, 90% of the companies that help provide critical national infrastructures had at least one cyberattack between 2017 and 2019. These recent supply chain hacks have (and could in the future) result in gas shortages, higher meat prices, sensitive information exposed, and endless other worst-case scenarios. The term critical access is often employed when speaking about these systems because the supply chain, and the information therein, is nothing short of critical.

Why are supply chains so vulnerable to hacking?

1. Supply chains and infrastructure organizations contain a vast amount of third-party connections. Look back at the SolarWinds supply chain hack. That software was connected to three major government components (at least), and the company stated that 18,000 customers downloaded the affected version of the software. That means there were 18,000-plus points of entry for a potential bad actor. It can be difficult to keep track of third-party suppliers, and according to the 2020 Ponemon report, too few organizations are keeping track diligently.

  • 49% of respondents say their organization does not assess the security and privacy practices of all third parties before granting them access to sensitive information.
  • 53% of industrial and manufacturing respondents say their organizations do not have a comprehensive inventory of all third parties with access to their network.
  • 74% of respondents who’ve experienced a hack said it was the result of giving too much privilege to third parties.

All those numbers add up to trouble. As these supply chain attack statistics show, there’s a lot of doors for bad actors to walk through, and, at least based on the Ponemon report, far too many remain unlocked.

2. The information that exists within these networks and organizations is highly valuable. When we talk about supply chains, we mean government, manufacturing, and energy. The kind of organizations, that if attacked, could lose more than just their hard drives. The ransomware that took over Colonial Pipeline not only spurred gas shortages and international headlines; it cost the company millions to regain control. If the bad actors wanted, they easily could’ve started attacking all the smaller entities connected to Colonial Pipeline. Think of a supply chain network like a series of air ducts across a building. Once you get the vent cover off, there are infinite places you could go and a treasure trove of valuable information you could discover.

3. These organizations rely on reputation, not Zero Trust architecture. That same Ponemon report referenced above states that 63% of respondents’ reliance on reputation is their main reason for not evaluating the security and privacy practices of third parties they work with. SolarWinds is a trusted name, and so is Colonial Pipeline. Both got hacked. At what point is reputation no longer reliable? To paraphrase many spy movies: don’t trust anyone.

4. Many supply chain organizations lack critical access protection software. It can be overwhelming for an organization to track and control access to its network, especially when those connections add up to thousands. It can be overwhelming, time-consuming, and costly. So, many organizations take shortcuts or simply don’t. Look at the stats referenced above; almost every question resulted in concerning answers from more than half of respondents, meaning most aren’t taking critical access security seriously. The solution doesn’t have to be overwhelming. There’s a variety of resources available and even more solutions for critical access protection. As for cost, the fallout from the SolarWinds supply chain hack cost the company $18 million so far. Better to pay for protection than pay the price for a data breach.

What percent of respondents from the 2020 Ponemon report are aware of all third parties accessing their system?

40% 61% 82%

AThankfully, the percentage breaks the half-way mark. According to the report, 61% of respondents are aware of all the third-parties access their system.

Learn about access monitoring and user access review.

Learn More

AYou know your third-party statistics! While that number is more than 50%, it’s still concerningly low.

Learn more about third-party security best practices.

Learn More

AYou’re an optimist! Unfortunately, the correct number is only 61%. We wish it was higher too, so learn how you can be part of the percentage that have a strong handle on their third-party security.

View Webinar

How can an organization reduce supply chain vulnerabilities?

Supply chain cybersecurity comes down to protecting your entryways. The best way for an organization to secure itself against supply chain hacks is to examine all relationships with third parties and make sure that both sides are doing everything they can to reduce the risk of hacks. If you don’t already have a vendor or third-party risk management program set up, do so. Learning more about Zero Trust Architecture, access management, and third-party security is a great start, and you can learn more about SecureLink’s solutions here.

close close