July, 1943: Realizing that no cross-channel invasion of Hitler’s Europe would be possible that year, Allied powers decided to attack “the soft underbelly” of the Axis powers – Mussolini’s Italy. Thrusting into the weak link in Hitler’s defenses led to the collapse of Mussolini’s regime and – critically – the diversion of Nazi troops away from other fronts to fight in northern Italy.

Today, the supply chain has emerged as the “soft underbelly” for cybercriminals seeking to infiltrate and exploit unwitting organizations. As companies increasingly rely on an interconnected web of third-party vendors, suppliers, and partners to power their operations, they have inadvertently created a vast attack surface that cyber adversaries are all too eager to exploit.

The risks of shared systems and interconnected workflows

At the heart of the supply chain's cybersecurity vulnerability lies the reliance on shared systems and interconnected workflows. Organizations often grant their suppliers access to various internal applications, databases, and communication channels to help facilitate collaboration and information exchange. While this level of integration drives efficiency and productivity, it also creates a potential backdoor for cybercriminals.

Imagine a scenario where a cybercriminal gains access to the systems of a small, seemingly innocuous supplier in the supply chain. From this foothold, they can then pivot and leverage that access to infiltrate the networks of the larger, primary organization. This could involve stealing login credentials, deploying malware, or exploiting vulnerabilities in the shared software or infrastructure.

Once inside the main organization's systems, the attackers can wreak havoc, stealing sensitive data, disrupting critical operations, and causing immense financial and reputational damage.

The cybersecurity risks to a supply chain aren't hypothetical situations. It's a very real and growing threat that organizations worldwide need to be taking seriously.

Recent examples of supply chain attacks

The risk of supply chain attacks is not merely a hypothetical scenario – it is a very real and growing threat that has already impacted numerous organizations worldwide. Here are a few recent examples that illustrate the devastating consequences: 

Sisense hack (2024): Threat actors reportedly accessed the GitLab code repository that contained credentials for Sisense’s Amazon S3 account, prompting the business intelligence firm to warn all of its clients to “reset any shared credentials and secrets promptly.” 

Okta hack (2023): Hackers obtained access to private customer data by obtaining credentials to Okta’s customer support management system. The alert was delivered two weeks after cybersecurity company BeyondTrust notified Okta about a potential issue.

Progress Software (2023): Hackers compromised over 2,600 companies and. government agencies by exploiting a vulnerability in Progress’ “MoveIt” file transfer tool.

Change Healthcare (2023) shut down its services after a cyberattack which led to many medical providers being unable to bill insurance providers and unable to collect revenue for weeks. Impacts included $1 billion in costs, furloughed staff and medical provider closures.

SolarWinds Breach (2020): In one of the most high-profile supply chain attacks in recent history, cybercriminals compromised the software update process of the SolarWinds Orion platform, a widely used network management tool. This allowed the attackers to gain access to the networks of thousands of SolarWinds customers, including numerous government agencies and Fortune 500 companies.

These incidents underscore the sobering reality that supply chain vulnerabilities can have far-reaching consequences, compromising the security of even the most well-protected organizations.

Strengthening supply chain cybersecurity through procurement

Periodic questionnaires about supplier controls are no longer enough. As the threat of supply chain attacks continues to escalate, organizations must take proactive measures to safeguard their operations. A critical component of this effort lies in the procurement process, where procurement teams can play a vital role in mitigating cyber risks.

Supplier cybersecurity vetting

When onboarding new suppliers or renewing contracts, procurement teams should implement robust cybersecurity assessment protocols. This may include evaluating the supplier's information security policies, incident response plans, and compliance with industry standards (e.g., ISO 27001, NIST CSF).

Contractual cybersecurity requirements

Procurement contracts should include clear, enforceable clauses that outline the supplier's cybersecurity obligations. This may include requirements for regular security audits, vulnerability assessments, and the adoption of best practices such as multi-factor authentication and data encryption. Importantly, there needs to be stricter contractual terms around how soon suppliers must notify customers after an attack.

Ongoing monitoring and collaboration

Procurement teams should maintain ongoing communication and collaboration with their suppliers to ensure that cybersecurity standards are being upheld. This may involve regular security assessments, threat intelligence sharing, and joint incident response planning.

Diversify or consolidate

While diversifying the supplier base can enhance security by reducing single points of failure, it also introduces the challenge of managing a larger attack surface with more potential entry points for adversaries. The key is to strike the right balance - maintaining a diverse network of qualified, cybersecurity-conscious suppliers, while implementing rigorous vetting, ongoing monitoring, and clear contractual security requirements.

Secure software and hardware procurement

When acquiring new software, hardware, or IT services, procurement teams should carefully evaluate the cybersecurity posture of the vendor, including their software development practices, patch management procedures, and supply chain security measures.

Is cybersecurity procurement's job?

Most procurement folk are not cybersecurity experts. Isn’t this the job of the IT team?

Procurement teams cannot simply delegate supply chain cybersecurity to the IT department. While information security plays a critical role, procurement has a unique and indispensable part to play in managing third-party vendor risks. Procurement teams are the primary owners of supplier relationships and contract negotiations. They possess intimate knowledge of the vendor landscape, selection criteria, and contractual terms.

This puts procurement in the best position to incorporate robust security requirements into the sourcing process and hold suppliers accountable. Attempting to shift this responsibility solely to IT would create dangerous gaps, as the security team lacks the same level of visibility and influence over the supplier ecosystem.

Effective supply chain risk management requires a collaborative, cross-functional approach, but procurement must take the lead in driving security-minded supplier selection, onboarding, and ongoing monitoring. By proactively embedding cybersecurity into procurement practices, organizations can better protect themselves against the risks posed by a distributed, complex supply chain.

Looking for ways to better manage risk and safeguard your organization? Learn how partnering with a GPO can help mitigate risks within your procurement function:

how to manage risk