As cyberattacks pose a growing threat to business operations, reputations and the bottom line, it’s never been more important to account for the full range of attack vectors that cybercriminals exploit.

This doesn’t just mean identifying internal vulnerabilities — it’s also about evaluating the cybersecurity posture of third-party vendors and other partners. Supply chain cyberattacks are on the rise, and companies must be capable of protecting themselves from breaches that can compromise their data and infiltrate their networks, no matter where those breaches originate.

Digital supply chains encompass a wide array of organizations and networks. All companies use third-party software, while employees have countless interactions with vendors, clients, suppliers and other partners every day. Cybercriminals are well aware of this dense web of connections, and they recognize that there are many indirect ways they can breach a company’s secure systems. Companies have to carefully assess which types of data they share, ensure that their employees are trained to spot potentially malicious content and suspicious behavior, and observe rigorous cybersecurity standards across the supply chain. 

Companies bear responsibility for the security of their supply chains. Customers won’t care if their sensitive data was breached through a third-party organization or on your own servers. Regulators will still hold you accountable if one of your partners makes a mistake that leads to a breach across the supply chain. That’s why companies must pay close attention to every link of the supply chain and implement controls that will keep their entire network secure. 

A New Wave of Cyberattacks

Recent supply chain shocks reminded companies how reliant they are on partners around the world, as well as how crises can ripple throughout the entire supply. In the same way, many companies have recently discovered that data breaches and other cyberattacks can have significant consequences for multiple organizations simultaneously.

According to Verizon’s 2024 Data Breach Investigations Report (DBIR), there’s been a 68% year-over-year increase in the amount of “supply chain interconnection” involved in breaches. The latest report from the Identity Theft Resource Center (ITRC) found that the number of organizations targeted by supply chain attacks surged by 2,600% between 2018 and 2023. ITRC reports that there were 54 million victims of supply chain attacks in 2023 – 15% of the total. Similarly, IBM reports that 15% percent of total data breaches involved attacks on the “business partner supply chain.” These breaches cost victims an average of $4.76 million, 13% higher than breaches that didn’t involve the supply chain. 

It’s clear that supply chain cyberattacks are among the most urgent cyber threats companies face in 2024. To address them, it’s vital that companies focus on comprehensive cybersecurity across the supply chain, which means improving visibility and reporting, applying consistent standards for data security and management, and building a culture of cybersecurity awareness throughout the partner ecosystem.

Top Supply Chain Cyberthreats

Cybercriminals exploit a wide range of supply chain vulnerabilities. Verizon’s DBIR points out that supply chain breaches can be caused by many factors, from infiltrations at third-party data processing facilities to physical breaches at a partner company. Many supply chain cyberattacks rely on social engineering — the deception and manipulation of people to gain initial access and steal sensitive data. Verizon reports that 68% of all breaches involve a human element at some point in the attack.

What makes this statistic more remarkable is that it excludes malicious actors, which means over two-thirds of breaches can be mitigated through cybersecurity awareness training. This applies to supply chain breaches as well. For example, if cybercriminals steal credentials from a supplier or distributor, they may use them to contact other organizations in the supply chain with requests for financial transfers or sensitive information. When employees are trained to identify suspicious activity — such as coercive language in emails, a sense of urgency, and demands for privileged access or information — they’ll be more likely to confirm the veracity of requests and report potential cyberthreats.

Just as companies must have strict requirements for how data is shared, stored and managed, it’s critical to make sure that third-party partners prioritize employee training and cybersecurity awareness. An emphasis on awareness training will improve the cybersecurity posture of all links in the supply chain, and address the full range of potential cyberattacks.

Guarding Against Social Engineering Attacks

According to IBM, two key variables that increase the cost of a data breach are the involvement of supply chain partners and security skills shortages. There are many cases in which these vulnerabilities are exploited at the same time. For example, when Uber suffered a breach in late 2022, the company reported that the breach was caused by a contractor accepting a fraudulent two-factor authentication request. This is a reminder that a lack of cybersecurity awareness among third parties can lead to data breaches that affect the whole company.

There are several ways that companies can build cyber resilience into their supply chains. Given the prominent role of social engineering in supply chain attacks, they need to implement cybersecurity awareness training programs that focus on engagement, personalization and accountability.

To keep employees engaged, it’s necessary to provide training content that’s entertaining, relevant and based on real-world supply chain breaches. Security leaders must also personalize the content, which means accounting for different learning styles, knowledge levels and psychological profiles. Finally, these programs need to be accountable, which requires security leaders to ensure that employees are learning what they need to know, and consistently assess the overall state of the company’s cyber readiness.

Accountability extends beyond the four walls of your company, so it’s crucial to partner with organizations that take cybersecurity seriously. Companies can do this by making sure that their partners have effective awareness training programs in place, and that they rigorously track the performance of those programs with assessments such as simulated phishing. If vendors and other partners can’t meet these standards, companies should look elsewhere. As the DBIR notes, it’s important to “not reward the weakest links in the chain.”

Visibility is another essential component of supply chain cybersecurity, as supply chain partners must have effective resources for monitoring and reporting potential cyberthreats. The SolarWinds hack in 2020 was one of the largest supply chain attacks of all time, affecting many businesses (such as Intel and Cisco) and government agencies.

Solar Winds reported that the most likely attack vector was a “compromise of credentials and/or access through a third-party application.” The cyberattack likely could have been caught much sooner if government officials who first detected suspicious activity had contacted other agencies and companies to investigate the breach more thoroughly.

Considering how interconnected digital systems have become, supply chain cyberattacks will continue to rank among the top cyberthreats companies face. By working with partners to build stronger cybersecurity infrastructure – complete with well-trained workforces and effective incident reporting and response mechanisms – companies will protect their supply chains from the ongoing escalation of cybercriminal activity. 

Shaun McAlmont is chief executive officer of Ninjio Cybersecurity Awareness Training