28 January 2025

4 min read

Cyber risk in supply chains: A top concern for business in 2025

Cyber security
Computer network connection modern city future technology
Cyber risk in supply chains: A top concern for business in 2025
6:43


In today's interconnected world, supply chains are both the circulatory system and potential 'Achilles' heel' of global commerce. The threat of cyber-attacks via the supply chain i.e. through an attack on a supplier that jumps across to infiltrate organisation’s own system, has escalated from a minor concern to a top-tier risk for businesses worldwide. With a rise in these attacks, understanding how to scope and mitigate for potential weak links is vital for business leaders aiming to safeguard their operations. In this article, Katherine Kearns explores the risk and provides key advice for businesses and suppliers alike.

The escalation of cyber threats on supply chains

Supply chain attacks are not merely a rising trend; they have become a dominant theme in the threat landscape over recent years. The attack on SolarWinds in 2020 was followed by a significant uptick in incidents in 2022 with further escalation throughout 2023 and 2024, placing supply chain attacks as one of the top three cyber threats alongside ransomware attacks and Adversary-in-the-Middle phishing campaigns.

The appeal of supply chain attacks for cybercriminals is undeniable. By exploiting supplier networks or leveraging open-source technologies, threat groups enhance their chances of penetration and increase their potential return on investment. Attacking a single vendor can translate into multiple victims being compromised, amplifying the impact of each breach and often leading to hidden costs for downstream customers.

Why supply chain attacks are favoured by threat actors

- Supply chain attacks are sophisticated, difficult to detect, and arduous to prevent.

- Innocuous tools can be repurposed to exploit trust and mount extensive attacks.

- Open-source components, foundational to modern digital infrastructures, present substantial risks if backdoors are introduced by Advanced Persistent Threats (APTs).

Key risks for organisations

Organisations face three main risk scenarios from supply chain attacks:

  1. Software compromise: A well-known attack vector involves cybercriminals gaining malicious access to a widely-used software product. Attackers breach a software vendor’s network, implanting malicious code that is then distributed to customers through standard updates. Such software vulnerabilities are a top entry method used by both state-backed espionage groups and ransomware actors.
  2. Managed Service Provider (MSP) compromise: Hosting or service providers, often supporting organisations with a less mature security posture, present attractive targets. Threat actors exploit these vulnerabilities to access numerous victims simultaneously, with reduced regulatory scrutiny complicating detection and response.
  3. Single service provider disruption: Attacks against single service providers can cause widespread operational disruptions. A notable example is the Colonial Pipeline incident, where a ransomware attack led to significant fuel shortages across the US.

Mitigating risks: Strategies for organisations

To combat the burgeoning supply chain cyber threat, organisations must develop and implement robust supply chain risk management programmes. This involves:

  1. Identifying critical vendors: Companies must first recognise their third-party exposures, understanding which suppliers have access to critical data and infrastructure. This involves cataloguing those essential for business continuity and assessing the impact potential.
  2. Continuous monitoring: Regular assessment and continuous monitoring of critical vendors are vital. Instead of sporadic reviews, ongoing evaluations help identify any shifts in a supplier's risk profile or security posture.
  3. Integrating vendors into continuity plans: Incorporating critical vendors into business continuity plans ensures preparedness, introducing redundancies to eliminate single points of failure.
  4. Security control mandates: Ensuring contractual agreements include mandatory security controls is essential for maintaining rigorous standards.

Essentials for suppliers

For suppliers, adopting a robust cyber security posture is not just a competitive advantage but a minimum requirement. As part of a due diligence process, suppliers — particularly smaller ones — should:

  • Comply with industry regulations (e.g., NIS2 and DORA).
  • Implement contractual security controls (e.g., data sharing restrictions, stringent access controls, and secure data storage).
  • Invest in resilience-building measures (e.g., multi-factor authentication, endpoint protection, robust monitoring).

Securing operations can be challenging, especially for smaller companies, which need to prioritise investments in these areas to meet client expectations and regulatory demands.

Monitoring the wider supply chain

Post-contract monitoring of suppliers is critical, moving beyond initial assessments to adapt to continuous changes in a supplier's environment. AI and data-driven approaches enable organisations to automate the collection and analysis of risk data — such as exposed assets, leak site appearances, and publicised incidents. By effectively utilising AI, companies gain powerful insights into their suppliers’ vulnerabilities, potentially without direct engagement.

The future landscape

Looking ahead, supply chain attacks are likely to become even more attractive to cyber actors. This trend is amplified by factors like technological advancements facilitating quicker, more impactful attacks, and tightening regulatory oversight demanding improved supply chain security. Regulations like DORA and NIS2 are already setting precedents aimed at fortifying supply chain resilience.

Simultaneously, AI offers organisations a dual-edged weapon: while it allows for more sophisticated attacks, it also equips defenders with real-time insights and rapid response capabilities. The interplay between AI, regulatory frameworks, and evolving threat tactics will continue to shape the dynamics of supply chain security, maintaining a perpetual game of cat and mouse.

In conclusion, organisations can no longer afford to underestimate the cyber risks inherent in their supply chains. Proactive risk management, continuous monitoring, and strategic supplier engagement are essential to mitigate these threats and protect the integrity of business operations on a global scale.

If you would like to discuss any aspect of cyber risk on your supply chain, please reach out to us.

Author

Share this post

Related insights

Mwinilunga, Zambia - December 6th, 2012: Three young African miners work in an underground mine and dig for resources

15 January 2025

8 min read

What a 'just transition' means for the African mining sector
Read more
A close up view of a woman texting on her smartphone while standing indoors

17 December 2024

10 min read

The gift of cyber security: How to protect your new gadgets
Read more
Image of open laptop

16 December 2024

6 min read

Cleo software data theft exploit: FAQ
Read more
More insights

Subscribe to our insights

Get industry news and expert insights straight to your inbox.

Regular bulletins

Weekly
Cyber Intelligence Briefing

Our weekly analysis of the top cyber security news stories hitting the headlines.

Read more
Monthly
ESG Watch

Stay on top of the latest ESG regulations and policies from around the globe with our monthly bulletin.

Read more
Monthly
Red Flag Bulletin

Published monthly, our Red Flag Bulletin provides you with updates on the latest financial, corruption and integrity issues worldwide.

Read more
Monthly
Global Risk Bulletin

Each month, we provide in-depth analysis into the top geopolitical risks from around the globe.

Read more