The 2013 security breach suffered by US giant Target was one of the biggest security breaches in history at the time, resulting in the company paying an $18.5m settlement after hackers stole 40 million customer credit and debit records. The hackers, however, didn’t break into Target’s own systems, but rather those of one of Target’s suppliers.

The 2022 data breach of ride-sharing app Uber, which stole employee email addresses, internal documents and information relating to its IT estate – specifically its mobile device management (MDM) platform – also came via one of its suppliers. 

Today, supply chains are complex and tightly interwoven, with most organisations relying on suppliers to deliver products, systems and services in some form or another. What’s more, the size and complexity of today’s supply chains make it difficult to know whether there are enough protections in place. While larger organisations might be implementing ever-tighter cyber security, they are increasingly exposed to numerous risks if their suppliers are not doing the same.

Third-party risk is often overlooked despite the proliferation of business-to-business Service as a Software (SaaS) apps, outsourced services, cloud-based products, and off-premises servers and databases. 

Weaker links in a company’s supply chain are being targeted more than ever as a means to hack larger organisations, because criminals risk-assess their chances of success, too. Hackers target smaller suppliers to large businesses because they are typically not as well secured so often more easily compromised. 

“In security it is often said that you’re only as strong as your weakest link. It is often perceived that this is in reference to the human element, which cannot be fully controlled or accounted for, but in today’s society this notion also applies to the supply chain,” says William Taaffe, COO, Lockdown Cyber Security.

Third-party access to data, or housing data on third-party platforms, carries risk. This is what happened with Uber, that lost millions of driver licences when a third-party development platform it had been using was breached. 

“Supply chain disruptions have been rampant over the last three years. The cracks have been exposed by changing work environments and the consequences of macroeconomic disruptions. If the past few years have taught us anything, it’s that achieving absolute security means trusting no one in the IT supply chain – not even suppliers,” says Spencer Starkey, Executive VP of EMEA at cyber security business SonicWall.

The benefits that technology and innovation offer for businesses are substantial. But they offer criminals similar opportunities, too. Very few organisations regularly test suppliers’ software for security flaws, says Taaffe. Instead they rely on the vendor, with a view that suppliers should be responsible for maintaining security, even though this obligation is rarely written into contracts.

The dynamic nature of cybercrime and technology advances mean that flux is constant. “Exploitable vulnerabilities, misconfigurations and utilising AI technologies mean that cyber security teams must be agile and adaptable. As supply-chain management usually involves multiple business departments, procurement staff must be aware of these risks and build in appropriate processes, for successful supply-chain security management,” Taaffe says.

Organisations can begin to reduce the external threat in their supply chain by building a process for ongoing due diligence, and automated, when possible, to reveal insights on core supply chain partners. “To prevent [breaches], businesses will need to focus their budgets and training on building a roadmap to security resilience,” says Starkey.

Organisations must also work collaboratively with their suppliers, particularly critical suppliers, by offering training in cyber security and best practice for their own organisation. “While third-party due diligence is about thorough vetting before entering into a partnership, third-party relationship management focuses on continuously managing and mitigating risks throughout the relationship. 

“Both are essential for maintaining healthy, compliant and profitable business relationships, but to ensure that your third party and supplier is aligned with your organisation’s values and code, you should be offering suppliers and third parties ethics and compliance training,” says Ty Francis, Chief Advisory Officer at LRN Corporation, an ethics and compliance provider.

When combined with legal professional services for contractual obligations and indemnities, and insurance for redress, supply-chain risk can be mitigated, although never completely eliminated. 

“It is imperative that your vendor community understands the values and ethical behaviours expected of them, while representing your organisation and providing your team with the ability to audit vendor performance. Third-party and supplier training should be the glue that connects these best practices together,” Francis says.

The National Cyber Security Centre proposes a series of 12 principles designed to help establish effective control and oversight of the supply chain. This includes the basics of understanding the risks and implementing continuous monitoring, knowing the sensitivity of the contracts and the value of information or assets which suppliers hold, as well as building an understanding of what supplier security looks like.

From the outset, it’s vital to build cyber-security considerations into contracts, and require suppliers to do the same. Overall, establishing supply-chain security awareness and education for all staff in one’s own business and suppliers will only become more critical as technology continues to evolve.