how to use internet.

← Back to Scams & phishing

Defend your organization from business scams

Progress 0 / 12
Chapters (12)

Supply chain and third-party risks

Supply chain attacks exploit trusted vendor relationships to compromise multiple targets simultaneously. The 78% increase in 2024, highlighted by major incidents like Change Healthcare and CrowdStrike, demonstrates how third-party risks can cause catastrophic business disruption.

The Scale of the Problem

2024 Major Incidents:

  • Change Healthcare: Ransomware affecting millions of patients
  • CrowdStrike update: Global outage affecting critical infrastructure
  • CDK Global: Auto dealer software compromise
  • XZ Utils backdoor: 2.5-year supply chain compromise attempt
  • 78% increase in supply chain attacks overall

Attack Vectors

Software supply chain:

  • Compromised updates/patches
  • Backdoored libraries/dependencies
  • Malicious open-source packages
  • Build environment compromise

Vendor access abuse:

  • Stolen vendor credentials
  • Compromised VPN access
  • Lateral movement from vendor
  • Data theft via vendor access

Hardware supply chain:

  • Pre-installed malware
  • Compromised firmware
  • Counterfeit components
  • Interdiction attacks

Third-Party Risk Assessment

Vendor security evaluation:

  • SOC 2 Type II reports
  • Penetration testing results
  • Incident response capabilities
  • Security training programs
  • Insurance coverage

Access management:

  • Least privilege access only
  • Time-limited credentials
  • MFA required
  • Regular access reviews
  • Monitor vendor activity

Contract requirements:

  • Security standards clauses
  • Incident notification requirements
  • Right to audit
  • Data handling requirements
  • Liability provisions

Protection Strategies

Vendor management:

  • Risk-based vendor categorization
  • Annual security assessments
  • Continuous monitoring
  • Alternative vendor plans
  • Regular contract reviews

Technical controls:

  • Segment vendor network access
  • Monitor vendor connections
  • Restrict data access
  • Log all vendor activity
  • Anomaly detection

Incident response:

  • Vendor breach notification procedures
  • Joint response exercises
  • Clear escalation paths
  • Regular tabletop exercises

Key Takeaways

  • 78% increase in supply chain attacks
  • Vendor security is your security
  • Risk-based assessments for all vendors
  • Limit and monitor vendor access
  • Contract requirements for security standards
  • Incident response plans include vendor scenarios
Author:
How To Use Internet
Last updated:
11/30/2025