Third-party and supply chain attacks have plagued organizations for years, and the attacks keep on coming. These attacks happen when threat actors gain access to your organization’s systems through a third-party, such as a supplier or vendor. Just a few weeks ago, we saw a third-party cyber attack on LastPass that affected GoTo, a remote access and collaboration organization. As a security-focused organization, it may have surprised many that they were impacted, but third-party attacks don’t discriminate.
For critical infrastructure sectors, the risks of third-party attacks don’t stop at data or revenue loss. For the 16 critical infrastructure sectors, including healthcare, manufacturing, and utilities, a breach could mean the difference between life and death for the organization’s customers. To better understand the risks that these attacks pose to critical infrastructure sectors, GroupSense explored the risks and recommended mitigation strategies for organizations to consider.
Third-Party & Supply Chain Attacks
To operate successfully, critical infrastructure organizations rely on countless vendors and suppliers. These third-party organizations are vital to critical infrastructure, but they pose a significant cybersecurity risk. If and when these vendors are attacked, critical infrastructure organizations are affected.
Cyber Risks of Third-Party/Supply Chain Attacks
In the past several years, the public has seen hundreds of supply chain attacks devastate companies in all industries and sectors. The 2020 SolarWinds hack showed the potential destruction that these attacks can carry out.
When threat actors injected malicious code into one of SolarWinds’ third parties, attackers created a backdoor into SolarWinds’ Orion software. Once inside the system, the attackers could impersonate system users, and the activity went undetected because it mimicked legitimate activity. The malicious code was injected into a new software update which was pushed to SolarWinds Orion customers and downloaded by 18,000 users. Threat actors accessed customer IT systems in organizations like the Departments of Homeland Security, State, Treasury, and Commerce in the US.
Third-Party Attacks by the Numbers
The healthcare industry is consistently the most common victim of third-party breaches. In 2021, the sector accounted for 33% of reported third-party attacks. While attacks can happen in a number of ways, ransomware, unauthorized network access, and unsecured servers and databases are the top three attack vectors.
Recommended Mitigations for Third-Party Attacks
With vast networks of suppliers, it may feel overwhelming to manage risk and protect your organization. Leading cyber experts suggest that adopting a zero-trust methodology is the best way to reduce third-party and attack surface risks. In a third-party risk survey from Ponemon, 51% of respondents said their organizations are not assessing the security and privacy practices of all third parties before granting them access to sensitive and confidential information. By covering vendors as any other IT asset, you can better protect against supply chain attacks and understand the risk of your suppliers at the beginning of the relationship.
Third-party attacks won’t slow down anytime soon. With proper preparation and mitigation, critical infrastructure agencies can help protect their customers, clients, and ultimately, the US’ national security and prosperity. To learn more about the cyber threats that critical infrastructure sectors face, download our report today.