Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Third-Party Breaches: Risk in the Supply Chain

Upstream and Downstream Risk in the Supply Chain

by Si West , Director, Customer Engagement
Published

According to CrowdStrike, 84% of leaders believe that software supply chain attacks could become one of the biggest cyber threats to organizations like theirs within the next three years. Despite this, 50% of organizations find monitoring third parties draining on their resources.

Managing third-party risk requires an in-depth understanding of your vendor network and its security. A chain is only as strong as its weakest link, meaning to defend your entire attack surface, you must ensure all your vendors share your values when it comes to robustly managing cyber risk. 

Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individual’s data. To better understand the scope of third-party risk, Resilience’s Global Head of Claims, Tom Egglestone, suggests that companies can categorize potential threats as upstream and downstream. Upstream indicates when the breach comes from a third-party supplier, data transfer system, or other partners in the supply chain. Downstream indicates when you are breached, and your client network becomes at risk. 

Upstream Third-Party Breaches  

Infiltrating the systems of an upstream vendor in the supply chain with the intent of gaining broader access to client systems or data is a threat tactic that is growing more common. These third-party attacks offer access to mass amounts of data and increase the likelihood that the data exfiltrated will be valuable and provoke ransom payment. According to the 2023 Thales Cloud Security Study, 39% of organizations surveyed reported experiencing a data breach in their cloud environment in the past year, up 4% from 2022.

Because of the expansive access to secondary victims offered through third-party breaches, large data servers, Cloud services, and SaaS providers are becoming massive targets for vendor breaches. Supply chain attacks help adversaries scale their operations by taking advantage of the trusted position of vendors to turn one breach into multiple incidents. This is a particularly effective tactic in a post-pandemic world where companies have invested more and more heavily in SaaS and Cloud-based products and tools to support remote working. The MOVEit breaches of Q2 2023 saw this supply chain-style attack matched with encryption-less and multiple-extortion ransomware tactics. When the Russian-based ransomware group CL0P accessed a vulnerability in MOVEit, Progressive Software’s transfer product, they gained access to data that allowed them to impact millions of individuals and hundreds of organizations around the world. 

Resilience’s ransomware incident response partner Coveware reported a record low rate of ransomware payment at 34% over the first half of 2023. As victims of ransomware grow more resilient to making extortion payments, threat actors are shifting tactics to go after as many pockets as possible while minimizing their efforts. “Threat actor’s entire mode of operation supports quick adaptation in the face of security safeguards,” said Tom Egglestone, Global Head of Claims at Resilience. “The shift to encryption-less and third-party ransom attacks demonstrates how threat actors are always looking for new ways to bypass security controls, especially in the face of declining ransom payments.”  

Downstream Third-Party Breaches: When Your Client Network is at Risk  

Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individuals’ data. So, what happens when you are at the top of that food chain? When a supplier, manufacturer, business partner, or other upstream vendor is hit with a data breach, every client network that they interact with becomes at risk. Downstream third-party breaches can devastate the reputation of the initially impacted organization. Being at the top of a vendor breach is not only a massive financial burden but can also be disastrous for your organization’s reputation. 

Consider the MOVEit breaches again– despite the hundreds of high-profile organizations who realized millions more in financial losses, it is the MOVEIt Transfer System we remember as the culprit of the breach. Aside from the cost of making extortion payments, victims of MOVEit also experienced numerous incident response, business interruption, and data recovery costs, not to mention the very real risk of reputational damage and potential legal and regulatory repercussions. 

“Managing a cyber incident following a security breach is already a significant burden on an affected company, but this situation becomes even more complicated if your clients or partners are also impacted,” said Egglestone. “Organizations who are entrusted with large amounts of sensitive data are huge targets for threat actors and stand to incur losses to their business way beyond a potential ransom payment, be that income loss or the costs to restore affected systems.” 

Incident Best Practices

According to a report by Statista, supply chain attacks grow 235% year over year. Now more than ever, it is imperative to take the necessary steps to protect your third-party attack surface. The most important of these steps is gaining visibility into your vendors. “Vendor breach prevention relies on auditing the data stored with each vendor,” said Egglestone. “Always keep track of the access each vendor has to your systems and any vulnerabilities that may exist through that sharing of data. Consider their readiness for an event, their insurance coverage, security protocols, track record with cyber incidents, financial resources, business continuity plans, and more.” 

At Resilience, we give clients the tools to interview vendors through comprehensive risk management questionnaires that address security and insurance protocols in alignment with your unique requirements. Through our holistic cyber risk management platform, we offer a Vendor Risk Management Guide that helps our clients better manage their vendors through proposed tactics, guidelines, and more. We also offer State of Your Vendor’s Risk reports for up to fifteen key vendors that detail their most relevant threats, remediation strategies, and background on their risk posture. 

Our Vendor Risk Management tools and guides encourage collaboration across cybersecurity, insurance, and financial leadership by offering the data and analytics to coordinate strategies and resolve incidents without impacting business value. 

“Whether you’re defending your own environment to prevent a downstream incident or carefully selecting a vendor network to protect yourself from an upstream third-party breach, Resilience has the tools to gain visibility into your attack surface and contextualize what that risk means for you,” said Egglestone. “The Resilience solution is designed to holistically manage all kinds of third-party risk through advanced tools, human-in-the-loop expertise, and more.”

About the Author
Si West , Director, Customer Engagement

You might also like

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]

cyber resilience framework

AI and Misuse

Welcome to part two in our series on AI and cyber risk. Be sure to read the first installment “What you need to know: Artificial Intelligence at the Heart of Cyber,” here. Key takeaways Background In February 2024, OpenAI – in collaboration with Microsoft— tracked adversaries from Russia, North Korea, Iran, and China, leveraging their […]