May 29, 2024

Cyber Threat Deep Dive #1 – Supply Chain Attacks

As part of our new blog series taking a look at specific types of cyber threat, we have invited third-party cyber risk management specialists ARX Alliance to shine a light on the world of supply chain attacks.

For the first of a new blog series taking an in-depth look at specific types of cyber threat, we’ve invited third-party cyber risk management specialists ARX Alliance to shine a light on the world of  supply chain attacks – what are they, what form do they take, and how do you defend against them.

What is a supply chain attack

A supply chain attack is a type of cyber-attack that seeks to target an organisation by exploiting the weak security of one of its trusted partners or suppliers. The motive for the attacks could be data theft, introducing malware, or disrupting operations.

Supply chain attacks are sometimes underestimated, but their effects can be devastating and are typically harder to spot/stop than other types of attacks. Securing the supply chain effectively can be tricky as vulnerabilities may be inherent or introduced and exploited at any stage. A weak supply chain can lead to harm and disruptions.

How they work

For supply chain attacks to work, attackers tirelessly look for vulnerabilities within the security of any of the target organisations trusted suppliers/partners. When they discover a weak spot, they take advantage of it.

This might be as simple as an attacker gaining access to a supplier employees login credentials from a compromised email address found on the dark web. With access to the company's systems, the attacker sends an email to the target company from the compromised user's account. The recipient at the target company is likely to open the email and attachment, thinking it's from a trusted source. Once the attachment is opened, the attacker gains access to the target company's systems.

Potential forms of attacks

Social engineering - Attackers will use social engineering to manipulate individuals operating within the supply chain into unintentionally compromising the security of the target organisation.

Compromise third parties - Attackers compromise a supplier that is holding important data on the target or a managed service provider that has direct access to the targets network.

Disrupt the supply chains - Launching attacks, such as Distributed Denial of Service (DDoS) attacks, against critical suppliers to disrupt the supply chain.

Compromise software - Attackers will insert malicious code or backdoors into legitimate software products or applications used by the target organisation.

Compromise hardware - Attackers might insert harmful hardware components like implants or malware-infected storage devices during manufacturing or shipping.


65% of cyber-attacks target under-resourced suppliers

430% increase in supply chain cyber attacks

40% of small medium businesses have no cyber defence at all

87% of businesses don’t review risks posed by their immediate suppliers

Understanding Third Party Risk Management (TPRM)

TPRM involves identifying, assessing, and controlling risks associated with operating with third parties. This process entails evaluating their security posture and ensuring their compliance with policies and regulations. By implementing TPRM, businesses can safeguard sensitive data and prevent cyber attacks.

The first step in TPRM is to identify and categorise third parties based on their criticality and level of access to the organisation’s systems and data. This helps in prioritising the evaluation and monitoring efforts accordingly.

Once third parties are identified, a comprehensive assessment of their security controls, policies, and practices needs to be conducted. This assessment can be done through industry specific questionnaires or tailored company specific questions. It provides insights into the third parties security posture and helps identify any potential vulnerabilities or gaps.

The assessment should be followed by risk evaluation and mitigation. Organisations need to review the assessment findings and determine the level of risk associated with each third party. This helps in prioritising risk mitigation efforts and developing appropriate risk management plans.

TPRM is an ongoing process that requires continuous monitoring and communication. It is essential to regularly review and assess third parties’ security controls, monitor their activities, and ensure compliance with agreed-upon security requirements.

How ARX streamlines third party cyber risk management

Identify and assess third-party risk

ARX evaluates the risk exposure of each third party, including their security posture and compliance with policies and regulations. With ARX you can maintain a comprehensive list of all third parties used, categorise them by risk level, and conduct regular automated assessments.

Establish security requirements

ARX helps businesses define specific security requirements for all third parties, including data protection, access control, and incident response protocols. Establish clear contractual language outlining the security expectations and responsibilities of third parties.

Ongoing monitoring

ARX regularly monitors third party activity, reviews security reports, and helps companies conduct assessments on third parties. ARX provides the tools and resources to detect any potential security risks or vulnerabilities that may arise from the actions or systems of third parties.

Enables easy business decision-making

ARX analyses risks to help you anticipate potential impacts. This allows you to make informed business decisions to mitigate chances of a successful breach by attackers targeting your company. ARX equips you with the necessary tools to take proactive steps in mitigating cyber risks posed by third parties.

Contact our cyber experts today to discuss how CCL and ARX can provide holistic solutions for Third Party Risk Management.

Examples of supply chain attacks that made the press

CTS Attack - IT provider for law firms

CTS is a key IT partner for the legal sector. In November 2023, they faced a cyber-attack that led to a service outage. This affected around 200 conveyancing firms, creating a ripple effect on the housing market. Homebuyers couldn't finalise purchases as law firms couldn't access crucial data for due diligence. This incident highlights how supply chain attacks can significantly impact businesses and individuals beyond the targeted company.

MSPs are attractive targets for attacks because not only can they provide entry points into other companies but attacks on them can cause knock-on disruption to hundreds of companies as well as consumers.

Firms now need to regularly assess risks within their supply chains by checking third-party vendors for security policies, procedures, and past security breaches.

Zaun - Security Fencing Supplier

Zaun Ltd specialises in high security perimeter fencing products for prisons, military bases, and utilities. In August 2023 they announced that they had fallen victim to the LockBit ransomware group. The group were believed to have gained access to historic emails orders, drawing and project files, with some of the information relating to UK military, intelligence, and research bases, including, GCHQ and HMNB Clyde.

Lockbit, a Russian-based ransomware group, used Zaun as a means to access sensitive security information and data related to the Ministry of Defence amid rising geopolitical tensions.

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch