Understanding the Frailty of the Software Supply Chain

In December 2020, the cybersecurity industry faced its latest attack – SolarWinds. This hack reinforces the frailty of not only the software supply chain but the third-party vendor ecosystem. As more information is uncovered, it is becoming clear that this extensive ecosystem of vendors is the gateway for attackers to move laterally from network-to-network.

Tackling exponential risk in the software supply chain

The software supply chain presents an exponential risk as a compromised software channel can be used to push out malicious activity across a vast ecosystem. SolarWinds is unfortunately an example of this type of attack, which meant that when the adversaries got in, they could easily move across to other downstream victims.

Recent research undertaken by BlueVoyant with 1500 CIOs, CISOs and Chief Procurement Officers across six verticals and five countries showed the extent of unmanaged risk in the software supply chain and third-party vendor ecosystems. The research helped to quantify the size of third-party vendor ecosystems and underlined that each vendor will have their own software supply chain, which compounds and multiplies the risk.

Cybersecurity Breaches Caused by Third-Party Vendors

Overall, the research revealed that globally four in five firms surveyed (80%) had suffered a cybersecurity breach caused by a third-party vendor and the average respondent’s organization had been breached in this way 2.7 times.

A Growing Vendor Ecosystem

Typically, organizations are working across a network that encompasses 1409 vendors on average.

The size of the risk across different vertical sectors

Third-party cyber risk was evident in several key vertical sectors. Those that are particularly vulnerable operate within critical industries such as financial services, healthcare and pharmaceutical, and business services organizations (i.e., insurance, legal etc.) – all of whom have very large supplier ecosystems.

89% of business services organizations surveyed said they had suffered a breach because of weaknesses in their supply chain in the last 12 months, this figure was 86% among healthcare and pharmaceutical companies, 85% in financial services organizations. Other verticals were slightly lower with 80% in utilities companies, 79% in energy and 57% in manufacturing.

But it doesn’t stop there. If the risk of a data breach increases with third-parties, the likelihood is that this will introduce breach risk from fourth-and fifth-parties. Therefore, different verticals must consider who a vendor is outsourcing services to as well. Often a company outsources a service to a third-party and outsources specific functions to other vendors. Or, if they are using technology to deliver that service, they might contract it out to an external development house to undertake the software development. Here, the BlueVoyant research shows the number of vendors different vertical sectors are working with.

Manufacturing

The research also revealed that between 40 and 70% of these vertical sectors work with more than 501 third-party vendors. Furthermore, only a small percentage are monitoring all suppliers, meaning these organizations had limited visibility over the remaining suppliers.

Clearly in today’s market of disappearing perimeters between the organization and its partners, the threat residing in the extended supplier software ecosystem is substantial. Overall, the research findings indicate a situation where the large scale of vendor ecosystems and the fast-changing threat environment is defeating attempts to effectively manage third, fourth and fifth-party cyber risk in a meaningful way.

For organizations to make progress in managing this environment and to reduce the current concerning rate of breaches and avoid a SolarWinds-type hack, they need to be pursuing greater visibility across their entire vendor ecosystem. Additionally, they need to build constructive support that encompasses the whole software supply chain. This should include alerting the vendor when new risks emerge and providing practical steps for them to follow to solve the problem.

The SolarWinds hack is a wake-up call for the whole industry and across the board organizations must proactively bolster cybersecurity efforts with trusted vendors and security platforms within the supply chain. To download the full report - Global Insights: Supply Chain Risk, click here.