This creates a huge risk: if one link in the chain is broken, the whole system can fall. Attacks on third-party vendors, where cybercriminals exploit vulnerabilities in the company's partners to get into their own systems, have become an increasingly common threat.
How then can businesses protect their own infrastructure while securing the IT/OT environments of all parties in the supply chain? And what role should regulators and authorities play in this fight?
A growing risk - and big consequences if we fail
In recent years, we have seen a sharp increase in cyberattacks targeting third-party service providers. Third-party providers are often used to streamline operations or gain access to specialized expertise, but they can also pose security risks, for example when they handle sensitive data or are connected to the company's network.
According to a report by Cybersecurity Ventures, the cost of cybercrime, globally, is expected to reach $10.5 billion per year by 2025. Supply chain attacks have accounted for a significant portion of these losses, and this is a trend that is expected to grow. A study by Gartner estimates that 45% of companies will have experienced cyberattacks on their supply chain by 2025, compared to 15% in 2021.
SolarWinds paid the ultimate price
The effects of such attacks can be devastating. Attacks against third-party vendors can lead to major disruptions, theft of sensitive information and severe financial losses. A high-profile example is the SolarWinds attack in 2020, where hackers compromised software provider SolarWinds. The attack clearly showed that it only takes one link in the chain of third-party suppliers to have a vulnerable product to have widespread, global consequences.
The 2020 SolarWinds attack had significant and severe consequences for businesses and governments worldwide. According to estimates, the attack cost businesses an average of $12 million per affected company, including direct and indirect costs such as incident response, system recovery and reputational damage.
The hackers exploited vulnerabilities in SolarWinds Orion software and were able toinfiltrate over 18,000 organizations globally, although not all were actively targeted. The incident led to widespread disruption, exposed sensitive information, and also highlighted the risks associated with poor infrastructure security and its impact on the supply chain.
SolarWinds therefore provides a clear (cautionary) example of the critical importance of strong security measures in system environments and a proactive approach to managing risks. The attack has also raised awareness of the dependency on third-party suppliers and the importance of robust cybersecurity.
How do we secure the supply chain and who is responsible?
Infrastructure security requires a holistic approach, where each part of the chain is examined and secured. It's not just about ensuring that the company's own systems are protected - partners and suppliers also need to meet high security standards. So, instead of just defending individual systems, you secure the entire IT and OT (Operational Technology) environments and their interactions - a holistic approach. OT is often older and more difficult to update than IT systems, making it a particular vulnerability in the supply chain.
These efforts, in turn, require both resources and knowledge, which many companies do not yet prioritize enough. But who is actually responsible at the various levels and what are the key steps and actions to be taken?
Standards such as ISO 28000 and NIS2 serve as guiding principles in various areas, not least with regard to cybersecurity in system environments, and can provide a framework for how companies can systematically work with these issues. In addition, the EU, with its NIS2 directive, has set higher requirements for security and reporting obligations for supply chains in critical infrastructure, which shows a growing awareness of the importance of securing all types of digital, interconnected networks.
These regulations can be a driver for improvement, but only if they are properly implemented and monitored.
Future challenges and opportunities
Going forward, we see the threat landscape around digital infrastructure, which is a critical part of the supply chain, increasing in complexity. With the increasing use of IoT devices, AI and automation, the attack surface will become larger, meaning more vulnerabilities and 'broken' links in the chain can be exploited. Another challenge is that hackers will accelerate and refine their art form and become even more targeted, and companies at risk must be prepared to meet these threats with equally advanced defences.
At the same time, developments open up new possibilities. For example, artificial intelligence can be used to monitor system environments in real time and identify anomalies that may indicate attacks. Companies that invest early in smart solutions for risk analysis and automated threat detection can not only minimize the risk of attacks, but also create a competitive advantage through increased reliability and faster response.
The role of legislators in the future
Another crucial factor in successfully securing future supply chains is how legislators and authorities choose to act. The USCybersecurity Improvement Actand the EU's NIS2 Directive are examples of how regulations are beginning to address the growing need for infrastructure security.
But regulation is only part of the solution. We also need better, and more natural, cooperation across borders when it comes to sharing information about threats and incidents. In working together, we also need to create a culture where cybersecurity is a natural part of business strategy.
Concluding words: it's time to take security seriously
Securing your own infrastructure, and the IT/OT environments of other parties in the chain, is no longer a matter of competitiveness - it is a matter of survival. At a time when cyber threats are growing and new regulations are tightening, it is critical that companies review their strategies and work closely with their suppliers to minimize risks.
For those who succeed, there will be great opportunities for growth and success.
For those who fail, the risk of serious attacks and loss of credibility awaits.
It's time to take the debate on supply chain security seriously - the future of business is at stake. And don't we all want to be among the successful ones?
