Security Budgets to Rise 10% in 2022, But Third Party Risk Could Wreck the Party

The global supply chain was exploited more than usual in the last six months of 2021. Between July and December 2021, attacks against organizations in the global supply chain increased by 51%, according to the NCC Group.


In its Insight Space – Issue 6 – Supply Chain report, NCC Group noted that supply chain attacks ranked among the top three types of cyberattacks, alongside phishing and malware attacks, which increased in the last six months after attacks on operational technology.


The vulnerability of global supply chains, whether physical or software, has been evident in the past two years. The SolarWinds software supply chain hack was one of the most significant cyberattacks on record, wherein 18,000 organizations, including ten federal agencies, were affected after downloading a compromised version of an infected SolarWinds Orion update.


However, the SolarWinds hack by APT29/Cozy Bear/Nobelium was a cyber espionage campaign intended not to disrupt operations but to gather intelligence. But it did serve as an entry point to critical infrastructure, thus exposing power grids, oil, manufacturing projects, etc.


The SolarWinds incident became possible through a compromised update, but there are other ways malicious actors can disrupt supply chains. These include exploiting any hardware vulnerabilities or targeting resellers, suppliers, or vendors.


In fact, Microsoft discovered as late as October 2021 that Nobelium continued to target resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. The tech giant, itself a victim of the SolarWinds attack, said hackers targeted 609 of its customers 22,868 times between July 1 and October 19, 2021.


“Software supply chains are complex entities often comprising hundreds of ‘suppliers’ per application. Each supplier, or dependency as it’s also known, represents a vector for software to enter an organization,” Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, told Toolbox.


Integration with third-party providers, resellers, service providers, contractors, or suppliers could expand the attack surface while simultaneously weakening the security fabric of even those with appropriate security hygiene practices. But worryingly, there was a disconnect between organizations and their suppliers/third parties regarding adherence to a responsible security posture.


The NCC Group found that:

  • 49% of the organizations said they did not stipulate security standards that their suppliers must adhere to as part of their contracts
  • 34% said they do not regularly monitor and risk assess their suppliers’ cyber security arrangements
  • One in four respondents does not rigorously audit the results of their suppliers’ risk assessments.