Your Biggest Security Risk May Be in Your Supply Chain

By Jeremy Ventura, Field CISO, Myriad360

The Hidden Threat in Plain Sight

In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a ransomware attack by the BlackCat/ALPHV group. This breach exposed sensitive personal data of over 100 million individuals, disrupted critical healthcare services, and revealed a growing issue: third-party vulnerabilities can undermine even the most robust internal cybersecurity defenses.

This was not an isolated incident. High-profile supply chain attacks like SolarWinds and MOVEit have shown how vulnerabilities in third-party systems can ripple across industries, causing widespread damage. These cases underscore a troubling reality: your security risk might not originate within your organization but through a trusted partner or vendor.

Read How Third-Party Weaknesses Led to a Major Healthcare Breach on Dark Reading

​

Read How Third-Party Weaknesses Led to a Major Healthcare Breach on Dark Reading

The Interconnectedness of Modern Supply Chains

Modern supply chains are deeply interconnected, involving a vast network of vendors, subcontractors, and service providers. While these partnerships foster innovation and scalability, they also significantly expand the attack surface. Cybercriminals exploit smaller, less-secure vendors to infiltrate larger, more fortified organizations.

For example, the 2013 Target breach began when attackers used stolen credentials from an HVAC subcontractor to gain access to the retailer’s systems. Similarly, the 2018 Ticketmaster breach stemmed from malicious code injected into its systems via a third-party software supplier.

The prevalence of such incidents is alarming. Between 2020 and 2021, supply chain attacks surged by over 600%, escalating from 12,000 to more than 88,000 known incidents. As businesses grow increasingly reliant on external providers, the need to secure every link in the chain has never been more critical.

Learn How Supply Chain Attacks Like SolarWinds and MOVEit Happened on SecurityWeek

​

Learn How Supply Chain Attacks Like SolarWinds and MOVEit Happened on SecurityWeek

See the Alarming Growth of Supply Chain Attacks on CSO Online

​

See the Alarming Growth of Supply Chain Attacks on CSO Online

Visibility Problems: The Hidden Danger

Visibility into supply chain operations is one of the most pressing challenges for organizations. Blind spots often exist around critical questions:

• Who has access to sensitive data?
• How is data exchanged between systems?
• What security practices do third-party vendors follow?

These gaps create opportunities for exploitation. A Dark Reading study revealed that in 2024, 39.1% of security professionals identified insufficient visibility as a top concern, up from 24.4% in 2023. Without this visibility, vulnerabilities remain undetected, extending recovery times and inflating remediation costs. Many organizations report spending weeks recovering from supply chain-related breaches, with expenses often exceeding $2 million.

Tools like Software Bills of Materials (SBOMs) and continuous monitoring platforms provide real-time insights into data flows and dependencies, enabling organizations to enforce stricter security protocols and proactively address risks.

Understand Why Lack of Visibility is a Growing Security Concern on Dark Reading

​

Understand Why Lack of Visibility is a Growing Security Concern on Dark Reading

Trust Without Verification: A Cultural Weakness

Over-reliance on vendor assurances is another significant issue. Many organizations operate on the assumption that their partners’ security measures are adequate. This misplaced trust creates vulnerabilities, especially when inherited systems or third-party integrations are involved.

The 2018 Marriott breach serves as a stark warning. Attackers exploited vulnerabilities in Starwood’s reservation system, which Marriott inherited through a merger, resulting in the exposure of approximately 500 million customers’ personal data. This incident highlights the dangers of failing to conduct thorough security assessments during acquisitions.

To mitigate these risks, organizations must implement independent verification processes, including regular penetration tests, third-party audits, and dynamic risk assessments. Such measures ensure that vendors’ security claims are substantiated, reducing the likelihood of catastrophic failures.

Explore How Vendor Weaknesses Led to the Marriott Data Breach on CSO Online

​

Explore How Vendor Weaknesses Led to the Marriott Data Breach on CSO Online

Kicker: Building Resilience Against Third-Party Risks

Mitigating third-party risks requires a proactive and comprehensive strategy. Here’s how organizations can start:

1. Establish Comprehensive Visibility: Leverage SBOMs and monitoring platforms to track data flows, map dependencies, and audit third-party security practices.
2. Invest in Real-Time Oversight: Advanced platforms offer dynamic insights into vendor cybersecurity postures, enabling early detection and resolution of vulnerabilities.
3. Embed Security into Vendor Relationships: Treat cybersecurity as a shared responsibility, incorporating it into onboarding processes and ongoing evaluations.
4. Verify Through Testing: Conduct regular penetration tests and third-party audits to validate security measures and identify hidden vulnerabilities.
5. Foster a Culture of Accountability: Build a collaborative approach to cybersecurity, ensuring all stakeholders recognize their role in maintaining secure systems.

By implementing these strategies, organizations can strengthen their ecosystems, mitigate risks, and build resilience against evolving threats. In today’s interconnected business landscape, securing your supply chain isn’t optional—it’s essential for survival.