Suppliers with weak defenses are big firms’ Achilles heel

Attackers are targeting under-resourced suppliers with weaker defenses as a way of disrupting or compromising larger organisations, according to a report from United Kingdom-based cyber security firm Risk Ledger.

For example, a notable ransomware attack on a supplier to semiconductor giant Applied Materials is expected to lead to $250m in lost sales. 

With well over 60% of organisations having suffered a data breach through a third party, this regularly results in regulatory fines, huge data recovery costs and loss of consumer trust.

The report is based on proprietary data from 2,525 suppliers that have shared information on their risk posture against over 200 cyber security controls with their customers on the Risk Ledger platform. 

Findings show that 17% of suppliers do not enforce multi-factor authentication (MFA) on all remotely accessible services. MFA is the simplest, most effective way to keep hackers out of your online accounts. 

However, while MFA is simple to implement, it does increase friction for the user and is therefore often provided as an optional setting which needs to be intentionally configured. This often leaves MFA disabled and the accounts vulnerable to unauthorised access through password theft. 

Also, 23% do not use Privileged Access Management controls to securely manage the use of privileged accounts.

Highly privileged accounts are the ultimate target for attackers. With high privileges, an attacker will be able to access more sensitive (and more valuable) data, and modify security detection tools to cover their own tracks. 

Further, 20% do not use a password manager. People are terrible at remembering passwords, which means employees create insecure passwords like qwerty123. 

All three of these weaknesses are common causes of cyber security incidents and a high proportion of third-, fourth- and fifth-party suppliers are not using controls to protect themselves or their customers in these areas. 

Risk Ledger said the biggest problem associated with supply chain cyber attacks is probably the almost total lack of visibility into the prevailing weaknesses among suppliers. 

There is a wealth of existing data on the tools hackers use to target companies, and on the effects of such attacks, allowing cyber security professionals to put specific defences in place. 

However, there has been a total lack of visibility into the main weaknesses in security postures of suppliers that allow these attacks to be successful in the first place.

“Companies rarely run security assurance against more than 10% of their immediate third-party suppliers, while visibility into the risks existing further down the chain remains almost non-existent,” said Risk Ledger CEO Haydn Brooks.

“To improve this situation, better data and insights into the most prevalent weaknesses in the wider supplier ecosystem are needed, so that remedial efforts can become more focussed,” added Haydn.