Suppliers are weak link in cybersecurity, says report

Attackers are targeting under-resourced suppliers with weaker defences as a way of disrupting or compromising larger organisations, according to a new survey.

Risk Ledger’s State of Cyber Security in the Supply Chain 2023 report – based on proprietary data from over 2,500 suppliers – reveals that almost two thirds of organisations suffered a data breach through a third party, placing them at risk of regulatory fines, huge data recovery costs and loss of consumer trust.

For example, one notable ransomware attack on a supplier to semiconductor giant Applied Materials is expected to lead to $250m in lost sales, says the cybersecurity specialist.

“There is a wealth of existing data on the tools hackers use to target companies, and on the effects of such attacks, allowing cyber security professionals to put specific defences in place,” it adds. “There has been a total lack of visibility, however, into the main weaknesses in security postures of suppliers that allow these attacks to be successful in the first place.”

The reality is that companies rarely run security assurance against more than 10 per cent of their immediate third-party suppliers, while visibility into the risks existing further down the chain remains almost non-existent. Moreover, 40 per cent of third-party suppliers do not conduct regular penetration tests of internal systems.

Among the other major findings in the survey are that 17 per cent of companies do not enforce multi-factor authentication (MFA) on all remotely accessible services – even though it is the simplest and most effective way to keep hackers out of accounts.

“Whilst MFA is simple to implement, it does increase friction for the user and is therefore often provided as an optional setting which needs to be intentionally configured,” according to Risk Ledger.  “This often leaves MFA disabled and the accounts vulnerable to unauthorised access through password theft.”

Meanwhile, almost a quarter (23 per cent) of respondents revealed that they do not use privileged access management controls to securely manage the use of privileged accounts – the ultimate target for attackers – and 20% do not use a password manager.

“People are terrible at remembering passwords, which means employees create insecure passwords like qwerty123,” said Risk Ledger. “This is not their fault! Businesses need to provide a practical alternative.”

All three of these weaknesses are common causes of cyber security incidents and a high proportion of third, fourth and fifth party suppliers are not using controls to protect themselves or their customers in these areas, says the report.

Photo by Markus Spiske on Unsplash