Major Supply Chain Cybersecurity Concerns and 7 Best Practices to Address Them

In today’s interconnected world, supply chains are essential for nearly every product and service. Yet, this interconnectedness comes with vulnerabilities. In fact, 41% of organizations that suffered material impacts from a cyberattack in 2023 report that those cyberattacks originated from a third party, according to the 2024 Global Cybersecurity Outlook [PDF] by the World Economic Forum.

What supply chain security issues might your organization face? How can you protect your supply chain from possible attacks? In this article, we explore seven proven best practices to help you fortify your cybersecurity in supply chain management and enhance your organization’s resilience to evolving threats.

Importance of cybersecurity supply chain risk management

Why should you even bother?

Just like a human body is made of different organs and systems, a supply chain comprises different companies, activities, people, resources, and information. And if just one part gets compromised, the entire system is at risk.

What is your supply chain?

A supply chain is all the processes that enable the flow of goods and services between multiple entities to end customers. According to Gartner, a supply chain is “a group of functions and processes focused on optimizing the flow of products, services and related information from sources of supply to customers or points of demand.” This includes “planning, sourcing and procurement, manufacturing, distribution, transportation, and services within a company and its ecosystem of partners.” 

In your supply chain, key entities include partners, vendors, suppliers, and service providers that have direct or indirect influence on the production and delivery of your end product or service.

It’s important to distinguish between internal and external supply chain entities versus third parties. The latter are where most supply chain cybersecurity risks usually originate, since organizations typically have limited third-party management capabilities.

Note: For simplicity’s sake, we use the terms partner, vendor, supplier, and third party interchangeably in this article, despite slight nuances in their meanings.

What industries are most vulnerable to supply chain attacks?

Industries that rely on extensive and complex supply chains — fast-moving consumer goods, IT, manufacturing, healthcare, agriculture, retail, etc. — should be especially aware of supply chain risks.

Even if your company doesn’t belong to any of these industries, it is still advisable to take proper precautions to minimize cybersecurity risks in the supply chain.

Cybersecurity for Manufacturing Companies with Syteca

How do organizations handle supply chain risks?

To maintain their resilience, organizations look for ways to efficiently manage risks associated with their supply chains. Several trustworthy agencies publish their recommendations on how to secure supply chains. For example, the National Institute of Standards and Technology (NIST) develops practical standards, guidelines, tests, and metrics to help organizations implement cybersecurity supply chain risk management (C-SCRM).

An important part of C-SCRM is developing an efficient risk response strategy. Gartner finds that reducing the attack surface of the risk target is effective in reducing supply chain disruptions. This suggests you should limit the number of touchpoints (products, processes, and networks) that risk events have with your supply chain.

Most common supply chain risks for organizations

Organizations usually face the following supply chain risks:

In this article, we discuss the specifics of cybersecurity risks and options for mitigating them. Strong cybersecurity is the key to safe and stable supply chain operations, considering that many business processes and interactions are going digital.

Security in supply chain management must not be regarded solely as an IT issue — even a single security breach entails other risks, including possible financial losses, damage to the brand’s image, and operational disruptions.

Let’s now dive into the specific cybersecurity threats coming from the supply chain.

Major supply chain cybersecurity threats

To prevent possible supply chain security incidents, we first need to understand what causes them. Have a look at the factors contributing to poor supply chain cybersecurity:

1. Lack of visibility over third parties — Organizations may be unaware of what their external supply chain entities do with their critical systems and data.

2. Poor data management — Companies may fail to securely use, store, and protect their important data. In addition, sensitive information may be shared and distributed carelessly across multiple supply chain members without considering the consequences.

3. Excessive third-party access rights — Organizations frequently grant third parties access to their systems but rarely put in place proper access limitations. While this approach may seem convenient, it often leads to privilege misuse, data theft, and other negative outcomes.

To make your supply chain secure, you need to understand the particular threats it faces.

All supply chain components are deeply interconnected. Without the proper level of supply chain vulnerability protection, cybercriminals may execute a supply chain attack, targeting weaker links in your supply chain and using them as entry points.

A well-known example of such an attack is the MOVEit data breach incident, in which cybercriminals exploited a vulnerability in Progress Software’s MOVEit file transfer application used by thousands of organizations worldwide. Starting on May 27, 2023, malicious actors had been stealing customer and employee data, including personal and confidential information. As of October 25, 2023, the incident affected over 2,500 organizations that used the MOVEit file transfer system, including BBC, British Airways, Zellis, CNN, and the United States Department of Energy.

Your supply chain can also fall victim to malicious insider activity and unintentional threats.

Let’s take a closer look at each supply chain security threat:

Supply chain attacks

A supply chain attack is often called island hopping. Instead of attacking a company directly, cybercriminals can infiltrate or disrupt a vulnerable supply chain component. A compromised entity can be exploited to escalate the attack further down the supply network.

Supply chain attacks can be performed in a number of ways:

Infected software and hardware. Attackers may infect a piece of software or implement a malicious component in a company’s hardware. Once software or hardware is installed, malware is spread across multiple entities throughout the entire supply chain.

The number of software supply chain attacks detected in 2024 doubled compared to 2023, according to the 10th Annual State of the Software Supply Chain Report.

Trusted account compromise. This involves impersonating a familiar email account to appear as a trusted partner within the supply chain. Business email compromise is an example of such an attack. If the compromised email account is trusted, cybercriminals can use social engineering and phishing techniques to compromise more email accounts or trick recipients into revealing critical data.

Watering hole attacks. Cybercriminals can target a website visited by a large number of organizations. A compromised website can distribute malware across multiple endpoints within a supply chain or even an entire industry.

Attacks on data storage services. Some organizations hire third-party companies and cloud services to aggregate, store, and process their data. Attackers may undermine the security of these data storage providers to gain access to valuable information and commit large-scale fraud. This can be accomplished by cloud jacking, for example.

Unintentional threats

Your employees and vendors may inadvertently cause data leaks and breaches, supply chain disruptions, and other negative consequences.

Unintentionally threats can occur as a result of:

Human error. Your employees, vendors, and other supply chain entities might make accidental errors that put your cybersecurity and the supply chain at risk. For example, a partner could mistakenly send your sensitive data to the wrong recipient. Alternatively, one of your suppliers with access to your systems may accidentally delete a piece of important data.

Poor third-party cybersecurity. Suppliers and vendors may fail to adequately secure their systems or utilize necessary cybersecurity measures on their endpoints. For instance, your supply chain members might struggle to implement proper IT security standards or fall victim to an insider attack. As we mentioned earlier, if even one vendor is compromised, a domino effect can occur, undermining more supply chain links.

Employee negligence. Even the most secure system is not 100% safe if used by negligent personnel. A single employee ignoring password recommendations can cause an account compromise. Malicious actors can also easily exploit security-unaware staff and escalate their access through the supply chain.

Malicious insider activity

The entire supply chain, including your organization, may suffer from malicious insiders — employees purposefully seeking to compromise your critical data and systems.

The risk of insider threats is constantly growing. In fact, from 2023 to 2024, the percentage of internal actors in data breaches grew from 20% to 35%, according to Verizon’s 2024 Data Breach Investigations Report.

Malicious actors inside your organization are not the only danger:

In a supply chain, your third parties might also be a source of insider threats, as they have access to your networks and data.

According to Gartner, malicious insiders — both your employees and vendors — may cause damage in the following ways:

Data theft. Malicious insiders might steal valuable data like intellectual property or information on your finances, clients, and marketing strategies. Your competitors, for example, can use your employees or supply chain members to perform industrial espionage.

System sabotage. Insiders can damage your organization’s systems by altering important network configurations, installing malware and shadow IT, or deleting critical data. As a result, your business can be disrupted directly or through your supply chain.

Fraud. Malicious actors may use an organization’s IT infrastructure to perform fraudulent activities. To satisfy their personal gain, an insider can exploit corporate data and assets to engage in identity infringement. For example, an authorized third party might abuse your client data to issue illegal payments or create inaccurate invoices for personal benefit.

What makes malicious insiders dangerous is that their actions are almost indistinguishable from regular workplace routines. Acting from a position of trust, malicious insiders can continue to perform harmful activities for a long time without getting caught.

According to IBM’s 2024 Cost of a Data Breach Report, malicious insider attacks had the highest costs compared to all other vectors, averaging $4.99 million.

Fortunately, there’s a solution.

To efficiently address supply chain security problems, you can implement cybersecurity supply chain risk management in your organization.

Top 7 supply chain security best practices

To enhance the security of your supply chain, you need to think beyond third-party security risk management and employ a more holistic strategy of cyber supply chain risk management (C-SCRM).

C-SCRM is the process of identifying, assessing, and mitigating the cybersecurity risks that information and operational technologies pose to a supply chain. Integrating information security with supply chain management, C-SCRM can help you enhance business continuity, supply chain visibility, and cybersecurity compliance.

We’ve compiled a list here of best practices in cyber supply chain risk management that you can adopt as part of your C-SCRM strategy to protect your supply chain. To develop your own C-SCRM program, you can refer to NIST Special Publication SP 800-161r1 and NIST Key Practices in Cyber SCRM.

1. Conduct a supply chain risk assessment

What risks does your supply chain pose?

Prior to taking any action aimed at enhancing security, it’s important to assess all possible risks. To do so, you need to understand your supply chain and know its key components. Outline all your suppliers and their level of cybersecurity access. It may be useful to group vendors into different risk profiles, prioritizing each third party by level of vulnerability, impact on your business, and access to your systems and data. Questionnaires and on-site visits can aid in assessing supply chain security risks.

Identify the weakest spots in your supply chain. Think about whether you can provide these suppliers with additional cybersecurity support or have them improve their security on their own.

Apart from the people and organizations in your supply chain, pay attention to the safety of your hardware and software. Supply chain security best practices involve identifying which processes in the supply chain pose a threat to sensitive data and systems. Think about what needs to be protected and why.

To better visualize the risks, draw a tree of all interactions between your organization and supply chain elements. This will help you track connections and get the full picture of supply chain risks.

We recommend assessing your supply chain risks on a regular basis. Assess the cybersecurity of your suppliers and how critical they are for your business operations. Based on your risk assessment results, you can establish your C-SCRM program.

2. Establish a formal C-SCRM program

When everyone is responsible, no one is accountable.

A formal C-SCRM program ensures accountability, as it clearly describes roles and responsibilities regarding business and cybersecurity aspects of relationships between your organization and suppliers.

A formal C-SCRM program is a document containing a thorough description of all measures applied to your supply chain cybersecurity. Compiling detailed policies, processes, procedures, and tools within a single source is an important step in managing your supply chain risks. A C-SCRM program is also a good place to classify your third parties based on their importance and risk levels. This will help your organization avoid partnerships with unreliable suppliers and vendors.

Define the structure of your C-SCRM based on your organization’s size. The larger an organization, the more extensive its C-SCRM program should be to cover all processes and aspects.

3. Work with your suppliers on improving security

A bundle is stronger than a single stick.

Maintaining a secure supply chain requires a close collaboration with your suppliers. According to NIST, some businesses organize entire supply chain ecosystems between companies “to increase coordination and simplify the management of complex shared supply chains.”

Regular communication with third parties is crucial for mitigating supply chain vulnerabilities. You can organize visits and gatherings dedicated to improving supply chain resilience and security, as well as conduct training to raise awareness among third parties.

It’s important to convey your security needs and standards to your suppliers and find ways to make them uniform throughout your entire supply chain.

To define responsibilities in your collaborations with suppliers, consider using service-level agreements (SLAs). An SLA will help you communicate and standardize requirements among your third-party vendors and hold them accountable for any cybersecurity incidents they might cause. An SLA should include all details regarding the cybersecurity aspects of your cooperation. Specify the duties of each party, security requirements, metrics for measuring compliance with requirements, fines for violations, etc.

4. Strengthen your data management

Secure your data.

The way valuable business data is collected, processed, and stored is critical when it comes to supply chain security. That’s why you need to have efficient network security in place and protect your business data with multiple layers, from separate applications used by your organization to your overall infrastructure.

Enhance your cybersecurity with data protection technologies such as encryption and tokenization. Perform regular data backups and use data loss prevention solutions to recover lost data. Consider using managed file transfer platforms to securely exchange data between different supply chain entities.

Make every possible effort to secure data management not only within your organization but across all of your suppliers’ infrastructures.

5. Limit suppliers’ access to critical assets

Do not blindly trust your supply chain.

To protect your important data and systems from malicious activity, limit your suppliers’ privileged access to it. You can apply the principle of least privilege, which means limiting employees’ access to your organization’s critical assets to only what is needed to perform regular duties.

You can also consider adopting a zero trust approach, which requires not only limiting access to critical assets but also always verifying the identity of every user and device accessing them. To further limit the risk of malicious actors accessing your organization, you can implement the network segmentation technique. This entails segregating your network into self-contained subnetworks aimed at protecting your sensitive data or assets even if one subnetwork is compromised.

6. Monitor your suppliers’ activity

Watch their actions.

To reduce the risk of a malicious insider attack in your organization, consider implementing continuous activity monitoring for your suppliers, vendors, and other supply chain entities accessing your system.

Monitoring every external user accessing your network will increase the accountability of your third parties and allow for effective investigation in case of an incident. Additionally, third-party activity monitoring is a common IT compliance requirement.

7. Develop an incident response plan

How will you react to a security incident?

Due to the unforeseen nature of supply chain risks, it’s important to build defenses expecting your systems to be compromised. So, even if a supply chain security incident happens, you will be fully prepared.

Based on your cybersecurity risk assessment results, create a detailed incident response plan for your security teams. The plan should include procedures, roles, and conditions of responses to a security incident.

If a security event happens outside your perimeter, providing assistance to a third party in mitigating the consequences is vital, as supply chain security is your security as well. Likewise, notify your suppliers promptly if your security is breached or third-party data is compromised.

Security Incident Investigation with Syteca

How Syteca can help you manage supply chain security risks

Syteca is a cybersecurity platform that allows you to protect your inside perimeter from internal attacks, including supply chain threats. It offers powerful privileged access management (PAM), advanced user activity monitoring (UAM), and real-time incident response capabilities.

With Syteca PAM, you can:

• Granularly manage access to your critical assets. You can keep an eye on all accounts of your suppliers and employees, manage their access rights, and limit how long access rights are granted.
• Securely authenticate and validate users. Syteca enables you to validate user identities with the help of two-factor authentication and perform secondary authentication to distinguish between the users of shared accounts.
• Effectively manage passwords. You can automatically generate, encrypt, and manage the credentials of third parties and your employees. You can also provide your suppliers with one-time access by giving them single-use passwords. All passwords and secrets are located in a secure vault.

Syteca UAM allows you to:

• Record user sessions in a comprehensive screen capture format. You can watch the on-screen actions of your employees and suppliers both in recordings and live.
• Search and filter user sessions by multiple parameters. Syteca’s video recordings are enhanced with text metadata, enabling you to search through visited websites, launched applications, active window titles, and more. You can also filter user sessions by username and IP address.
• Generate comprehensive reports. You can export monitoring results using a collection of highly customizable reports. You can also export part of or a full user session in a standalone protected format for forensic investigation.

Syteca’s incident response functionality can help you to:

• Detect threats in a timely manner. With a proactive alert and notification system, your security team will receive an email notification immediately when a suspicious event is detected. Alerts may be triggered by various parameters, such as visited websites, typed keystrokes, or launched applications.
• Automatically respond to detected threats. You can respond manually or set the system to automatically block a suspicious third party, show them a warning message, or kill an application when a particular alert is triggered.

In addition, Syteca supports your efforts to comply with the GDPR, PCI DSS, HIPAA, DORA, and other cybersecurity laws, standards, and regulations.

Conclusion

The benefits of supply chains come at the price of risks posed to each supply chain entity — particularly cybersecurity risks. Tight interconnection raises the possibility of a supply chain attack, a malicious third-party attack, or unintended destructive activity inside your organization.

Follow the best practices described in this article and consider implementing a third-party vendor security monitoring solution to strengthen your supply chain security and reduce your vulnerability to potential threats. 

With Syteca, you can take your supply chain risk management to a new level thanks to access management, third-party monitoring, reporting, and incident response capabilities.