Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Third-Party Breaches: Risk in the Supply Chain

Upstream and Downstream Risk in the Supply Chain

by Si West , Director, Customer Engagement
Published

According to CrowdStrike, 84% of leaders believe that software supply chain attacks could become one of the biggest cyber threats to organizations like theirs within the next three years. Despite this, 50% of organizations find monitoring third parties draining on their resources.

Managing third-party risk requires an in-depth understanding of your vendor network and its security. A chain is only as strong as its weakest link, meaning to defend your entire attack surface, you must ensure all your vendors share your values when it comes to robustly managing cyber risk. 

Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individual’s data. To better understand the scope of third-party risk, Resilience’s Global Head of Claims, Tom Egglestone, suggests that companies can categorize potential threats as upstream and downstream. Upstream indicates when the breach comes from a third-party supplier, data transfer system, or other partners in the supply chain. Downstream indicates when you are breached, and your client network becomes at risk. 

Upstream Third-Party Breaches  

Infiltrating the systems of an upstream vendor in the supply chain with the intent of gaining broader access to client systems or data is a threat tactic that is growing more common. These third-party attacks offer access to mass amounts of data and increase the likelihood that the data exfiltrated will be valuable and provoke ransom payment. According to the 2023 Thales Cloud Security Study, 39% of organizations surveyed reported experiencing a data breach in their cloud environment in the past year, up 4% from 2022.

Because of the expansive access to secondary victims offered through third-party breaches, large data servers, Cloud services, and SaaS providers are becoming massive targets for vendor breaches. Supply chain attacks help adversaries scale their operations by taking advantage of the trusted position of vendors to turn one breach into multiple incidents. This is a particularly effective tactic in a post-pandemic world where companies have invested more and more heavily in SaaS and Cloud-based products and tools to support remote working. The MOVEit breaches of Q2 2023 saw this supply chain-style attack matched with encryption-less and multiple-extortion ransomware tactics. When the Russian-based ransomware group CL0P accessed a vulnerability in MOVEit, Progressive Software’s transfer product, they gained access to data that allowed them to impact millions of individuals and hundreds of organizations around the world. 

Resilience’s ransomware incident response partner Coveware reported a record low rate of ransomware payment at 34% over the first half of 2023. As victims of ransomware grow more resilient to making extortion payments, threat actors are shifting tactics to go after as many pockets as possible while minimizing their efforts. “Threat actor’s entire mode of operation supports quick adaptation in the face of security safeguards,” said Tom Egglestone, Global Head of Claims at Resilience. “The shift to encryption-less and third-party ransom attacks demonstrates how threat actors are always looking for new ways to bypass security controls, especially in the face of declining ransom payments.”  

Downstream Third-Party Breaches: When Your Client Network is at Risk  

Third-party breaches trigger a domino effect that can impact hundreds of organizations and millions of individuals’ data. So, what happens when you are at the top of that food chain? When a supplier, manufacturer, business partner, or other upstream vendor is hit with a data breach, every client network that they interact with becomes at risk. Downstream third-party breaches can devastate the reputation of the initially impacted organization. Being at the top of a vendor breach is not only a massive financial burden but can also be disastrous for your organization’s reputation. 

Consider the MOVEit breaches again– despite the hundreds of high-profile organizations who realized millions more in financial losses, it is the MOVEIt Transfer System we remember as the culprit of the breach. Aside from the cost of making extortion payments, victims of MOVEit also experienced numerous incident response, business interruption, and data recovery costs, not to mention the very real risk of reputational damage and potential legal and regulatory repercussions. 

“Managing a cyber incident following a security breach is already a significant burden on an affected company, but this situation becomes even more complicated if your clients or partners are also impacted,” said Egglestone. “Organizations who are entrusted with large amounts of sensitive data are huge targets for threat actors and stand to incur losses to their business way beyond a potential ransom payment, be that income loss or the costs to restore affected systems.” 

Incident Best Practices

According to a report by Statista, supply chain attacks grow 235% year over year. Now more than ever, it is imperative to take the necessary steps to protect your third-party attack surface. The most important of these steps is gaining visibility into your vendors. “Vendor breach prevention relies on auditing the data stored with each vendor,” said Egglestone. “Always keep track of the access each vendor has to your systems and any vulnerabilities that may exist through that sharing of data. Consider their readiness for an event, their insurance coverage, security protocols, track record with cyber incidents, financial resources, business continuity plans, and more.” 

At Resilience, we give clients the tools to interview vendors through comprehensive risk management questionnaires that address security and insurance protocols in alignment with your unique requirements. Through our holistic cyber risk management platform, we offer a Vendor Risk Management Guide that helps our clients better manage their vendors through proposed tactics, guidelines, and more. We also offer State of Your Vendor’s Risk reports for up to fifteen key vendors that detail their most relevant threats, remediation strategies, and background on their risk posture. 

Our Vendor Risk Management tools and guides encourage collaboration across cybersecurity, insurance, and financial leadership by offering the data and analytics to coordinate strategies and resolve incidents without impacting business value. 

“Whether you’re defending your own environment to prevent a downstream incident or carefully selecting a vendor network to protect yourself from an upstream third-party breach, Resilience has the tools to gain visibility into your attack surface and contextualize what that risk means for you,” said Egglestone. “The Resilience solution is designed to holistically manage all kinds of third-party risk through advanced tools, human-in-the-loop expertise, and more.”

About the Author
Si West , Director, Customer Engagement

You might also like

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]

How to create an effective Incident Response Plan

Cyberattacks are no longer a distant threat—they are a certainty. Whether it’s a ransomware attack, data breach, or insider threat, organizations must be prepared to respond quickly and effectively. Without a solid plan in place, even a minor security incident can spiral into a major crisis, leading to financial losses, reputational damage, and regulatory penalties. […]

Understanding the ClickFix attack

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into […]

How MFA can be hacked

Multi-factor authentication (MFA) represents a significant improvement over single-factor authentication, adding an extra layer of security that has become standard practice across industries. It’s become so popular that many organizations and individuals believe implementing MFA makes their accounts nearly impenetrable to attackers. After all, even if someone steals your password, they would still need access […]

What is the ROC?

The cybersecurity industry thrives on headlines. A major software vulnerability, a ransomware attack, or a widespread outage—each event sends ripples of concern through the digital ecosystem, often accompanied by a rush to assign blame and predict catastrophic consequences.  However, the reality of cyber risk is far more nuanced than these attention-grabbing headlines suggest. The key […]

Quantifying cyber risk for strategic business alignment

In Resilience’s recent webinar, “Quantifying Cyber Risk for Strategic Business Alignment,” (which I hosted along with my colleagues Eric Woelfel, Senior Cybersecurity Engineer, and Erica Leise, Senior Security Engineer) we wanted to tackle a common—and often limiting—mindset in cybersecurity. It’s a mindset I’ve seen again and again in my decade and half building machine learning […]