Risk Ledger’s new survey of 2500+ suppliers reveals key supply chain cyber security weaknesses

Attackers are targeting under-resourced suppliers with weaker defences as a way of disrupting or compromising larger organisations. The notable ransomware attack on a supplier to semiconductor giant Applied Materials is expected to lead to $250 million in lost sales.

With well over 60% of organisations having suffered a data breach through a third party, this regularly results in regulatory fines, huge data recovery costs and loss of consumer trust. Spotlighting the key security weaknesses in the supply chain ecosystem, cyber security business Risk Ledger is publishing its ‘State of Cyber Security in the Supply Chain 2023’ report on Tuesday, 18th April, 2023. 

Supply chain ecosystem

The report is based on proprietary data from over 2,500 suppliers that have shared information on their risk posture against over 200 cyber security controls with their customers on the Risk Ledger platform. Based on its findings, it draws attention to the 12 most common weaknesses among suppliers and offers practical recommendations by cyber security experts for improving organisations’ third-party risk management strategies.

Some of the major findings revealed in this report include:

• 17% do not enforce multi-factor authentication (MFA) on all remotely accessible services.
• MFA is the simplest, most effective way to keep hackers out of your online accounts. However, whilst MFA is simple to implement, it does increase friction for the user and is therefore often provided as an optional setting which needs to be intentionally configured. This often leaves MFA disabled and the accounts vulnerable to unauthorised access through password theft.
• 23% do not use Privileged Access Management controls to securely manage the use of privileged accounts.
• Highly privileged accounts are the ultimate target for attackers. With high privileges, an attacker will be able to access more sensitive (and more valuable) data, and modify security detection tools to cover their own tracks.
• 20% do not use a password manager.
• People are terrible at remembering passwords, which means employees create insecure passwords like qwerty123. This is not their fault! Businesses need to provide a practical alternative.

Cyber security incidents

All three of these weaknesses are common causes of cyber security incidents and a high proportion of third, fourth and fifth party suppliers are not using controls to protect themselves or their customers in these areas.

There is a wealth of existing data on the tools hackers use to target companies

The perhaps biggest problem associated with supply chain cyber attacks is the almost total lack of visibility into the prevailing weaknesses among suppliers. There is a wealth of existing data on the tools hackers use to target companies, and on the effects of such attacks, allowing cyber security professionals to put specific defences in place.

There has been a total lack of visibility, however, into the main weaknesses in security postures of suppliers that allow these attacks to be successful in the first place. Risk Ledger’s new report gives this unique insight.

Most prevalent weaknesses

Risk Ledger’s CEO, Haydn Brooks commented: “Companies rarely run security assurance against more than 10% of their immediate third-party suppliers, while visibility into the risks existing further down the chain remains almost non-existent.”

Haydn Brooks adds, “To improve this situation, better data and insights into the most prevalent weaknesses in the wider supplier ecosystem are needed, so that remedial efforts can become more focussed. This is the purpose of our report. We want to share the insights we have obtained from suppliers on the Risk Ledger platform with the wider security community, allowing them to use our findings to benchmark their own suppliers against their peers.”

Risk Ledger’s ‘The State of Cyber Security in the Supply Chain: Data Insights Report 2023’ will be available for download on Risk Ledger’s website from Tuesday, 18th April, 9am BST.