More than 80% of organisations have experienced a data breach as a result of security vulnerabilities in their supply chains, as cyber criminals take advantage of the poor security of smaller vendors as a means of gaining access to the networks of large organisations.
Research by cybersecurity company BlueVoyant[1] found that organisations have an average of 1,013 vendors in their supplier ecosystem – and that 82% of organisations have suffered a data breach in the past 12 months due to cybersecurity weakness in the supply chain.
But, despite the risk posed by security vulnerabilities in the supply chain[2], a third of organisations have little to no indication if hackers had got into their supply chain, meaning that they may not find out that they've been the victim of an incident until it's too late.
SEE: Security Awareness and Training policy[3] (TechRepublic Premium)
Large companies are likely to be better protected than smaller companies, which means hackers are increasingly turning towards their suppliers as a means of infiltrating the network in a way that will often go unnoticed.
"Very often people think, well, what are our most critical suppliers and inevitably they end up with their top ten being some of the world's biggest names, like cloud providers. But that's not where the threat comes from," said Robert Hannigan, chairman of BlueVoyant International, told ZDNet.
"It's much more likely that the real threat is going to come from a much smaller company you've never heard of but which is connected to your network," said Hannigan, who was previously director of GCHQ.
An example of this was seen in 2017 when the NotPetya attack infected organisations around the world[4], which was apparently first spread using the hijacked software-update mechanism of