Why Supply Chains are Under Attack

Why Supply Chains are Under Attack

Avatar photo
Hwei Oh
6 min read
Share this article:

Most of the sensational data breaches that get covered on the news are about consumer-focused companies. That makes sense when we think about the impact that can come from these kinds of attacks. In one fell swoop, millions of customer records can be lost. Obviously, this carries a lot of weight since it is relevant to a wide cross-section of people. Some noteworthy breaches of this magnitude include T-Mobile, SolarWinds, and LastPass.

Supply chain companies may think they don’t need to focus on cyber resiliency if they and their customers are small. But this couldn’t be further from the truth because many hackers don’t discriminate based on size. Some even opt for smaller companies since they are perceived to be easier targets that have more lax security controls.

All B2B companies, especially those in the supply chain, have specific risks they need to be aware of that may impact their risk assessments and cybersecurity measures. We’re seeing that supply chains are the new target. Here’s what they need to focus on to be cyber resilient.

Supply chains are the new target

The interconnected nature of supply chains makes them an increasingly attractive target for cyber attackers. This is especially true for the software supply chain. Companies have become more reliant on digital technology and third-party software instead of managing their own internal tech stack. While that often brings productivity and cost benefits, it also comes with a loss of centralized control over software as well as vulnerabilities that often accompany these open-source and third-party dependencies.

Gartner has found that 60% of companies work with over 1,000 third-party vendors. Although there is this heavy reliance on third-party technologies, any ensuing risk management is an in-house responsibility that few companies consistently practice. Yet, proper risk management can reduce and prevent cybersecurity breaches and attacks from happening in the first place. Another way businesses open themselves to risk, which is common across all industries, is by using high percentages of open-source code and systems. These open-source data repositories can have outdated code and other vulnerabilities that often go unchecked.

Malicious actors realize that these software companies can serve as a backdoor into other organizations, and look for vulnerabilities such as outdated app versions, known exploits, or poor account security to work their way in. The domino effect can start with website providers, payment processors, wireless service providers, and so on.

One example of a software supply chain attack came from HAFNIUM, a group that attacked Microsoft Exchange servers in 2021. Multiple zero-day vulnerabilities allowed the group to attack these servers, which then gave the hackers an open door to the networks of thousands of organizations, including educational institutions, government agencies, and other businesses. During this time, cybercriminals had access to email accounts and were able to install malware on compromised systems.  This, in turn, allowed them to have long-term entry to those environments so they could steal more data or further compromise the systems. The upshot of this breach was that many smaller businesses became vulnerable because of the exploitation of a larger organization.

Customers can be impacted by lack of cybersecurity

Companies and customers alike can feel the impact of a cybersecurity incident. For big organizations, the loss of customers isn’t as significant. T-Mobile, which has suffered multiple data breaches, had millions of customers; so losing one, or even 100, isn’t that impactful to their bottom line. However, many supply chain companies have fewer than 1,000 customers, so losing a single customer who was negatively impacted by a data breach or other cyberattack can be extremely important.

Reputation matters, especially when you’re a smaller company; and cyber resilience is quickly becoming an important part of a company’s reputation. Poor cyber hygiene or cyber resilience matters. If your company succumbs to a data breach, you can lose customers very quickly and also ruin your chances for future deals.

Accenture’s 2022 Cost of Cybercrime Study found that 43% of all cyberattacks targeted small businesses. However, only 14% of these businesses were ready to defend themselves. Because the vast majority of small enterprises will be caught off-guard in the face of an attack, they stand a much smaller chance of surviving after the incident. Unfortunately, 60% of SMEs go out of business within six months of being hacked.

Growth can be impacted in multiple ways

Dozens of B2B startups pop up every year and try to become a key part of the software supply chain. Out of all startups around the world, about 61% are B2B. Many of these companies have some kind of software or technology focus, with approximately 11% being eCommerce, 20% fintech, 19% internet services, and 8% artificial intelligence businesses.

The software supply chain has many mainstay names – Salesforce, HubSpot, and Oracle, to name a few. It’s important to remember that all these companies started as small businesses. Startups at the beginning stages thrive on new customers and potential investors.

Verizon has found that the biggest cybersecurity threat against very small businesses (10 employees or fewer) is ransomware, followed by stolen credentials. If startups don’t prioritize investing in cybersecurity strategies, their growth potential can be drastically reduced – or destroyed – by these threats.

Investors who are weighing their options often have cybersecurity posture in their consideration set. When they think about potential investment opportunities, they may pass on a risky company that isn’t doing enough to be cyber resilient.

Early-stage startups may also rack up cyber debt, which is technical debt related to cybersecurity. There are so many things young startups need to do to become financially viable, that cybersecurity is often put on the back burner. Yet, when founders focus more on growing the business than they do on laying a strong foundation, they may find themselves on an unsteady footing as they grow.

Revenue-generating activities, like building a strong marketing plan, recruiting a sales team, and purchasing heavily integrated systems and SaaS-apps, can take a front seat to tasks that may not have as clear a connection to revenue, like forming a strong cybersecurity plan! However, without a focused priority on cybersecurity, those measures can expose a company to risks leading to a costly data breach and/or compliance fines that far outweigh any generated revenue. In today’s world, the price of becoming cyber secure will eventually need to be paid, and it’s a simple fact that this price is constantly rising. The companies that invest in cybersecurity early on will find themselves with reduced costs and an overall reduced risk exposure.

A managed security partner is the best option for supply chain companies

Supply chain companies, whether they’re just starting out or well-established, don’t have a lot of resources to build an in-house tech team. Even if they do, it can be hard to find the right expertise. The current cybersecurity skills gap means that there are 3.4 million jobs without cybersecurity experts to fill them. The software industry is fast-moving; and, with this gap and the shifting needs of companies, hiring an in-house team is not usually a practical solution.

Instead, software supply chain startups can make use of managed security partners. Bringing in outsourced cybersecurity experts can help companies build resiliency, get 24/7 protection, and equip them with prevention and remediation capabilities. Working with the right partner also means companies can build a reputation around investing in cybersecurity. This can make related tasks, like getting cyber insurance, easier to procure. Investors, as well as existing and future customers, like seeing companies take their cybersecurity seriously.

SolCyber offers a fully managed cybersecurity program that can grow with your business. We can help you achieve cyber resilience and fortify your link in the supply chain.

Follow us on these social platforms!

LinkedIn: https://www.linkedin.com/company/solcyber-managed-security-services/

Twitter: https://twitter.com/SolCyberMSS

Facebook: https://www.facebook.com/solcybermssp

Instagram: https://www.instagram.com/solcyber_mssp/

Avatar photo
Hwei Oh
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!


Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

SolCyber. All rights reserved
Made with
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo