The importance of third-party supply chain cybersecurity has become increasingly apparent over the past few years. The recent well-publicized incident at SolarWinds, an IT service provider, is the latest example of a supply chain attack, where the intended victim is not the organization itself, but rather its customers and business partners. Over the past year, the cyber “attack surface” and the amount of sensitive data to which third-party vendors have access has increased due to the large uptick in remote working because of the COVID-19 pandemic. In response to a recent survey by the Ponemon Institute of 581 IT security professionals and 302 C-suite executives, 58% of respondents said that, despite the increased risk, their organizations do not have a third-party cyber risk management program. Ponemon Institute, Digital Transformation & Cyber Risk: What You Need To Know To Stay Safe (2020).
Attacks on third-party vendors have risen in number and severity. 2020 saw a 430% increase in attacks on third-party supply chains. Cyber Attacks: Better Vendor Risk Management Practices in 2021, Shared Assessments (Dec. 18, 2020). Ransomware attacks in particular have seen the most growth, increasing by 715%. BitDefender, Mid-Year Threat Landscape Report 2020 (2020).