A Comprehensive Guide

to Preventing Supply
Chain Attacks

Trusted by hundreds of companies worldwide

Executive Summary
About This Ebook
Organizations are recognizing the many benefits of
outsourcing vital business operations, such as increased
speeds and improved cost efficiencies. With the rapid
introduction of third-party data handling comes a familiar
challenge — cybersecurity risk.

The size and complexity of the digital supply chain can quickly
become difficult for information security teams to manage.
Every third party added to the vendor ecosystem expands the
attack surface. All it takes is for a threat actor to compromise
one link for the entire chain to collapse.

According to 2021 IBM research, third-party data breaches

cost organizations an average of $4.33 million per breach.
Aside from financial penalties, operational, legal, and
reputational damages follow shortly after.

It’s no longer enough to rely solely on robust internal

cybersecurity practices. Organizations need detailed visibility
into their vendor ecosystems to identify and remediate supply
chain vulnerabilities before cybercriminals exploit them.

“Third-party data breaches cost

organizations an average of $4.33
million per breach in 2021."
Source: Cost of a Data Breach Report 2021, IBM

www.upguard.com i
Who is this for?
This ebook is intended for executives and business leaders
who wish to enrich their understanding of supply chain
attacks. Its content deep dives into the specific cyber risks
that arise from the digital supply chain. Although there are
references to technical information, this ebook addresses
cyber risk from a business perspective.

What will be covered?

• What is the digital supply chain? What is a supply chain
attack?
• How vendors generate third and fourth-party risks in the
supply chain
• Real-world examples of data breaches arising from
supply chain attacks
• How to foster a resilient digital supply chain

What is UpGuard?
UpGuard is a cybersecurity platform that helps global
organizations prevent data breaches, monitor third-
party vendors, and improve their security posture. Using
proprietary security ratings, world-class data leak detection
capabilities, and powerful remediation workflows, we
proactively identify security exposures for companies of all
sizes.

www.upguard.com ii
Table of Contents

Executive Summary i, ii

Introduction
What is the Digital Supply Chain? 1
Why is a Supply Chain Attack? 2
How Does a Supply Chain Attack Work? 2

Real-World Examples 3

Managing Cyber Risk in the Digital Supply Chain4

How to Protect Your Business From Supply Chain Attacks 5

Send Regular Third-Party Risk Assessments 5
Monitor Your Vendor Network 6
Identify Vendor Data Leaks 7

Conclusion8

www.upguard.com iii
Introduction
What is the Digital Supply Chain?
The traditional supply chain encompasses many important
activities as goods flow from suppliers to customers, including:

• Conducting research to estimate the demand for a product

• The procurement of raw materials for manufacturers
• Manufacturers producing and shipping a finished product to
distributors
• Distributors transporting the product to different retailers
• Retailers selling and shipping the product to customers

The core activities and flow of goods in a digital supply chain are
the same, but the difference is in the approach.

A traditional supply chain takes a linear and reactive approach

in which the functioning of the chain depends on specific
predefined workflows. Historical transactions from legacy
systems govern how the chain functions rather than real-time
conditions. Visibility within a traditional supply chain is limited by
the lack of integration between different systems in the chain.

The digital supply chain applies technologies throughout the

system network to enable better integration and connectivity.
These technologies help spot problems earlier and proactively
respond to disruptions based on real-time conditions rather than
predefined workflows. Connectivity is critical to removing silos
and providing visibility across the supply chain.

www.upguard.com 1
What is a Supply
Chain Attack?
A supply chain attack is an attack
strategy that targets an organization
Data Breaches
through vulnerabilities in its supply Third-party breaches occur when
chain. These vulnerable areas are threat actors exploit vulnerabilities
usually linked to vendors with poor in a vendor’s systems to access and
steal sensitive information stored
security practices. on a client organization’s systems.
For example, malware injections are
Third-party data vendors require a common third-party cyber attack
access to organizations’ sensitive data technique.
to integrate with internal systems.
Compromised vendors unknowingly
When a vendor is compromised, this distribute malware to their entire
shared pool of data is breached. client network. A popular service
provider could infect thousands of
As each vendor stores sensitive businesses with a single update,
helping threat actors achieve a higher
data for multiple clientele, a single
impact with much less effort.
supply chain attack often causes
many businesses to fall victim to data
breaches. Data Leaks
A third-party data leak occurs when a

How Does a Supply vendor accidentally exposes sensitive

data either physically, on the Internet,

Chain Attack Work? or through any other form, including

lost hard drives or laptops. This
exposure allows cybercriminals to
gain unauthorized access to the
Supply chain attacks piggyback
client organization's data without
legitimate processes to gain uninhibited carrying out sophisticated cyber
access into an organization’s attacks.
ecosystem.

Attacks begin by infiltrating a vendor's

security defenses. Penetration could
occur via multiple attack vectors, such
as data breaches or data leaks.

www.upguard.com 2
Real-World Examples
Many of the largest and most well-known breaches
result from successful supply chain attacks.

U.S Government Cyber Attack Largest Breach in the

Nation's History
In March 2020, a malicious code was injected into the U.S government’s internal systems
through an IT update from its network-monitoring vendor, SolarWinds. The attackers used a
supply chain method of attack, where malicious code is introduced into a system through a
compromised third party. The cyber attackers accessed the Microsoft Office 365 account
of the National Telecommunications and Information Administration (NTIA), uncovering a
swathe of internal communications between several federal agencies.

Over 100 Customers Kaseya Crippled by

Compromised in Supply Chain Attack
Accellion Supply Chain
In July 2021, Florida-based IT
Attack company Kaseya was hit by a
devastating supply chain attack.
In December 2020, technology The Russian ransomware gang REvil
company Accellion was illegally launched a supply chain attack to
attacked by unidentified hackers distribute their ransom software. REvil
that compromised its legacy file- compromised Kaseya VSA servers
sharing system, FTA. The attackers and was using them to deploy and
used a combination of web shell distribute their ransomware. Several
attacks and zero-day exploits to take hundred organizations were impacted,
advantage of an unpatched software including Kaseya VSA software
vulnerability. This incident was customers and multiple Managed
part of a wider supply chain attack Service Providers (MSP) that use the
that breached the sensitive data of VSA solution. Sweden’s state railways
over 100 of Accellion’s customers, and a major pharmacy chain were
including Singtel, ASIC, Allens, Kroger, affected, as well as 800 stores from
and the New Zealand Central Bank. the grocery chain Coop.

www.upguard.com 3
Managing Cyber Risk in the Digital
Supply Chain
Proper supply chain planning must include security as a key
consideration. Some best practices to help better manage
supply chain cybersecurity risks include:

• Adding security requirements to important supply chain

contracts and documents.
• Enforcing basic security standards throughout the supply
chain, such as changing default passwords for devices,
limiting user capabilities, and securing communications with
encryption.
• Better due diligence when researching vendors to ensure
those vendors can adequately meet cybersecurity
requirements. This means conducting detailed security
questionnaires and asking vendors about important physical
security measures, access controls, malware prevention and
detection measures, and secure coding practices.
• Adequately monitoring the risk exposure from different
vendors in the software supply chain. In complex digital
supply chains, this should encompass a dedicated software
solution that automates vendor risk management.
• Improving human awareness of cybersecurity risks
throughout the supply chain. Everyone in the workforce that
spans all of a company's supply chain activities should get
exposure to Security Education, Training, and Awareness
(SETA) programs that address supply chain risks.

www.upguard.com 4
How to Protect Your Business
From Supply Chain Attacks
Send Regular Third-Party Risk Assessments
The sad reality is that your vendors are unlikely to take cybersecurity
as seriously as you do. It’s up to you to ensure your supply chain is well
defended.

Third-party risk assessments help disclose each vendor's security

posture and any concerning vulnerabilities that need remediating.

UpGuard offers a library of pre-built security questionnaires mapped to

recognized security frameworks, such as ISO 27001 and NIST CSF.

The platform also allows you to set deadlines and send reminders to
ensure vendors receive and complete your questionnaire and track the
status of each outgoing questionnaire.

www.upguard.com 5
 Monitor Your Vendor Network
The third-party landscape is complex and ever-changing.
Organizations can easily overlook vulnerabilities that are likely to be
exploited in a supply chain attack.

UpGuard Vendor Risk instantly surfaces all hidden vulnerabilities

exposing organizations to supply chain attacks.

Vendor Risk helps you find, track, and monitor the security posture
of any organization instantly. You can categorize vendors, compare
them against industry benchmarks, and see how their security
postures change over time.

www.upguard.com 6
 Identify Vendor Data Leaks
Organizations can significantly reduce third-party data breaches by
remediating all vendor data leaks before cybercriminals discover and
exploit them.

Data leaks inform threat actors about active vulnerabilities in an

organization’s internal and third-party ecosystems, making it easier
to launch strategic supply chain attacks.

UpGuard CyberResearch helps organizations monitor the third-

party attack surface by fully managing third-party risk and data leak
detection.

CyberResearch is powered by a team of cybersecurity analysts who

can manage your organization's data leak monitoring and remediation
efforts.

www.upguard.com 7
Conclusion
As organizations turn to outsource many of their operations, their third-party attack
surfaces are expanding rapidly.

Effective risk management across the supply chain requires tightened security
controls, strict due diligence, and accurate insights into your third parties’ security
postures.

Your organization must address its third-party attack surface to detect and
remediate vulnerabilities before a data breach occurs. Otherwise, you risk significant
financial, legal, operational, and reputational consequences — just one broken link
can expose the entire chain.

A complete vendor risk management tool helps infosec teams manage the entire
third-party ecosystem through automated questionnaires, real-time attack surface
monitoring, and streamlined remediation workflows, offering protection across the
digital supply chain.

www.upguard.com 8
Questions? We have answers
We're here to help, shoot us an email at
[email protected]

Know your vendors. Secure yourself.

Looking for a better, smarter way to protect
your data and prevent breaches?

UpGuard offers a full suite of products for

security, risk and vendor management teams.

Trusted by hundreds of companies worldwide

www.upguard.com 650 Castro Street, Suite 120-387, Mountain View CA 94041 United States

+1 888-882-3223
© 2022 UpGuard, Inc. All rights reserved. UpGuard and the UpGuard
logo are registered trademarks of UpGuard, Inc. All other products or
services mentioned herein are trademarks of their respective companies.
Information subject to change without notice.