In recent years, the cyber security landscape has seen a significant shift. Trust has dwindled and cannot be considered a given. Organisations used to focus on stopping external threats, but as systems have become more complex, even insiders are no longer fully trusted.
The rise of insecure supply chains has added to the problem and led to growing interest in a zero-trust approach (a security model that never trusts by default, with continuous authentication with least‑privilege access). Today, businesses must protect themselves from external hackers, insider threats, and vulnerabilities in their supply chains, with supply chains often proving the hardest to secure.
Supply Chain Attacks: Service Providers
Over time, cyber criminals have noticed how organisations have become increasingly reliant on third parties. This is partly by design – outsourcing non-core functions is seen as financially efficient – but also the result of the spread of WAN networking, which allows services to be delivered remotely.
This reliance isn’t optional in many sectors – a functioning supply chain is fundamental to business, especially in manufacturing, where complex operations depend on a web of specialist suppliers and service providers.
A recent example is the supply chain attack involving Marks & Spencer in June 2024, where attackers compromised a third-party supplier, resulting in unauthorised access to sensitive employee data. This incident highlights how a breach at a service provider can directly impact even large, well-known organisations.
The lesson? Just because you’ve protected your own accounts doesn’t mean your suppliers have done the same. This was a surprise to many businesses. Now, instead of simply trusting suppliers, organisations set clear checks and controls, limit what suppliers can do, and keep an eye on their activity.
Read about the biggest cyber attacks, year by year.
Supply Chains in Manufacturing
Manufacturers rely on a wide range of suppliers and could even grant them remote access to both office networks and critical factory systems.
Suppliers provide the continual delivery of parts, materials, and services that keep production running. However, these also introduce extra risks:
- Remote access by suppliers for maintenance or support can be a weak point, especially if protected by shared or weak passwords.
- Physical components or materials supplied to the business can introduce vulnerabilities – compromised hardware, counterfeit parts, or even software embedded in equipment could all put production at risk.
- Older or poorly segmented factory networks make it easier for cyber attackers to move from a compromised supplier connection or device into other parts of the business.
A disruption from a cyber attack, contaminated materials, or a supplier’s operational failure, could halt production. Any delays can be costly, while a major incident can stop manufacturing altogether.
As manufacturers become more connected and reliant on their supply chains, it could be crucial to secure digital access points and carefully vet and monitor the integrity of goods and services received.
Software Supply Chains
Today’s software relies on many third-party components, making it difficult for organisations to track where vulnerabilities might be hidden. Criminals can exploit weaknesses in these dependencies – sometimes by tampering with code on public platforms like GitHub. Even when issues are found, identifying and fixing them isn’t always straightforward, especially if no patch is available.
Software supply chains are a prime target. For attackers, compromising widely used software or update channels opens up new ways to reach thousands of organisations at once. This has driven a wave of large-scale supply chain attacks over recent years, including the following:
- Malicious code was slipped into the SolarWinds Orion network monitoring tool used by thousands of companies around the world. Estimates of the number of companies affected range into the thousands, making this the most widespread single-incident compromise in history. Ironically, a possible contributor to the breach could have been the company’s own overseas supply chain.
- Okta, based in San Francisco, delivers cloud-based identity and access management services. Thousands of organisations worldwide rely on its Single Sign-On (SSO), multi-factor authentication (MFA), and API access management solutions. Repeated attacks on the organisation resulted in October 2021 in the compromise of support files relating to 134 of its customers. This led to attacks targeting major infrastructure providers Cloudflare, BeyondTrust, and 1Password.
- The 2023 attack on customers of the MOVEit file transfer platform is believed to have compromised, to varying degrees, the data of up to several thousand organisations.
A common feature of these incidents is that most of the providers involved were not well known despite their software or services being widely used by businesses. That’s how supply chains work; today’s organisations depend on many suppliers like these and don’t stop to think about their security until something goes wrong.
This highlights a core challenge of modern business. It’s easy to say, “Don’t trust your suppliers,” but doing so leads to a far more complex reality. In this world, nothing can be taken for granted and constant vigilance is essential.
Read more about the top cyber security risks for businesses.
Cyber Risks in the Supply Chain: FAQs
1. How are businesses changing the way they assess the cyber security of their suppliers?
Some organisations assess the security of their partners before doing business with them, especially if they are technology suppliers. Our article on Shadow Compliance explores how organisations increasingly conduct paid but covert security checks on the public-facing side of a partner’s web presence.
2. How can organisations mitigate the cyber security risks posed by third-party suppliers and partners?
One mitigation is to risk-assess suppliers and partners more actively, for example, by compiling a software inventory so they know what’s inside their applications. However, many now believe organisations should go much further than this. If third-party vulnerabilities can’t be fully known, the best protection is to design your internal network to account for that uncertainty.
3. What does implementing zero-trust security involve?
The principles of zero trust sound simple enough until you realise that this approach requires organisations to stop trusting anything, including their own resources. In practice, this means mandating multi-factor authentication across all accounts, locking down all privileges, and segmenting the network to make lateral movement more difficult.
4. Why isn’t due diligence on supply chains enough to manage cyber risk?
From a risk management point of view, this approach makes sense. Due diligence on partners and their more distant supply chains will only get you so far. In the end, organisations must prepare to be surprised by their own vulnerabilities.
If you’re an SME, it is important to stay ahead of these risks and try to see your own network the way someone else might see it. Is there something you’d rather ignore because it’s difficult to patch, for example, an out-of-date OS controlling a key piece of equipment? In security terms, your customers’ supply chain starts with that machine and how it might be exploited by attackers.
Today’s networks often have overlooked entry points, and while external supply chain risks are hard to control, it’s usually internal weaknesses that open the door to attacks. You can’t manage every external risk, but securing your own environment is still the strongest defence.
5. How can organisations manage risk in manufacturing supply chains?
Common approaches include restricting supplier access, requiring strong authentication, segmenting networks, and monitoring for suspicious activity. Regular checks of supplier systems and delivered products could help identify vulnerabilities before they impact production.
6. What role do certifications like Cyber Essentials, Cyber Essentials Plus, or ISO 27001 play in supply chain security?
Certifications like Cyber Essentials, Cyber Essentials Plus, or ISO 27001 indicate that a supplier meets recognised cyber and information security standards. While certification does not guarantee complete security, it could demonstrate that certain baseline controls are implemented and subject to periodic review.
Looking to invest more in your cyber security? Read about how to talk to boards about cyber security investment.
Enhance Your Organisation’s Cyber Security
Whether you are interested in achieving ISO 27001 certification or Cyber Essentials certification, British Assessment Bureau can help.
Get started on your journey to certification – get a quote today or contact our team of experts to discuss your needs.
