Rampant cyber security weaknesses are putting supply chains at risk, according to a report from British cyber security company Risk Ledger, released this week.
Risk Ledger’s State of Cyber Security in the Supply Chain 2023 report is based on proprietary data from more than 2,500 suppliers on the company's risk management platform. The findings identify the 12 most common weaknesses among suppliers, especially third-tier suppliers and others that are further down a company’s supply chain.
Risk Ledger defines third-party suppliers as external companies that a business uses to provide a service as part of their own delivery or a company that provides elements of a product they make. According to the report, 40% of third-party suppliers do not conduct regular penetration tests of internal systems and 32% do not have a supplier security policy that outlines the security requirements that their suppliers should meet—which puts their own and their customer’s data at risk, according to the report.
“Attackers are targeting under-resourced suppliers with weaker defenses as a way of disrupting or compromising larger organizations,” the company wrote in a statement describing the findings. “The notable ransomware attack on a supplier to semiconductor giant Applied Materials is expected to lead to $250 million in lost sales. With well over 60% of organizations having suffered a data breach through a third party, this regularly results in regulatory fines, huge data recovery costs and loss of consumer trust.”
Two of the top 12 weaknesses revealed in the report include:
17% of suppliers do not enforce multi-factor authentication (MFA) on all remotely accessible services. MFA requires a second source of validation before granting users access to a device or service—in addition to entering a password, the user may also be asked for a code or fingerprint, for example. MFA is the simplest, most effective way to keep hackers out of your online accounts, according to Risk Ledger, but it can be cumbersome for users and is therefore often provided as an optional setting that needs to be intentionally configured. “This often leaves MFA disabled and the accounts vulnerable to unauthorized access through password theft,” according to the report.
23% do not use “Privileged Access Management” controls to securely manage the use of privileged accounts, which are the ultimate target for attackers. With high privileges, an attacker can access more sensitive (and more valuable) data, and modify security detection tools to cover their own tracks.
The report explains that these weaknesses are common causes of cyber security incidents, and that a high proportion of third-, fourth-, and fifth-party suppliers are not using controls to protect themselves or their customers in these areas. It also offers recommendations by cyber security experts for improving companies’ third-party risk management strategies, including benchmarking data.