What are Supply Chain Attacks?
Falling victim to a supply chain attack exposes user data, damages brand reputation and leads to lawsuits due to noncompliance with privacy regulations. And without the right security protocols, supply chain attacks can go undetected for long periods of time. Recent research found that 93% of companies suffered a cybersecurity breach through weaknesses in their supply chain in 2021.
Types of Supply Chain Attacks
Web applications have two main components: the server and the client. The server holds the application code, stores data and processes operations. The client is the user’s browser where the web application is delivered.
To carry out supply chain attacks, cybercriminals can target the server or the client.
- In server-side supply chain attacks, cybercriminals compromise the code that runs on the server side. This allows attackers to steal stored customer or employee data, access and modify internal configurations, hijack bandwidth or intercept money transfers.
How do Supply Chain Attacks Work?
More than 99% of websites use code from third-party vendors to build their sites. Examples of this are social sharing buttons, advertising iframes, payment iframes, chatbots, analytics and metrics scripts, A/B testing scripts for experiments and helper libraries such as jQuery.
Browser Storage Data Access
Network Sniffing and Manipulation
Why Are Supply Chain Attacks Difficult to Detect?
Client-side supply chain attacks can easily go undetected for several reasons.
- Frequent code changes - Third-party libraries are continually being changed and updated. Even if a script is reviewed when it is first added to a site, it does mean that subsequent modifications are secure. Over 50% of website owners state that the third-party scripts running on their web properties change four or more times every year, often without their immediate knowledge.
- Nth-party vendors - Third-party vendors may themselves obtain code from external libraries. Partners’ dependence on other partners for code may be undisclosed, lengthening the software supply chain and increasing business risk. It may be the nth-party script down the line that is vulnerable, and this can affect the entire supply chain.
- Insufficient security reviews - Developers rely on third-party code to quickly bring capabilities to market. They don’t want to be slowed down by internal processes and thus may introduce code to an application without going through the appropriate security reviews. Even if an initial review is conducted, it does not account for future code changes.
Impact of Supply Chain Attacks
Supply chain attacks negatively impact businesses in several ways.
- Damage to brand reputation and consumer trust - If your brand suffers a supply chain attack, consumers whose data was compromised will lose trust in your brand and go elsewhere. Furthermore, press coverage of the attack may dissuade new customers from choosing to engage with your company.
- Lawsuits - Consumers may file lawsuits against businesses who expose their personal data to cybercriminals in a supply chain attack. Brands are liable for any data breach on their site, including one that arises from third-party components and services that are introduced to users from a software supply chain.
- Regulatory fines - Many countries and states have enacted data privacy legislation, including the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Businesses are liable for hefty fines if they do not comply with these regulations — even if it’s due to an attack on a third-party vendor.
- Impaired functionality - Supply chain attacks can affect a company’s ability to deliver products and services. This affects business continuity and creates data inaccuracies, making it hard for applications that use a compromised vendor to function. This results in revenue loss and a competitive disadvantage.
- Lower stock value - Your stock price may plummet following a supply chain attack, and investors may sell your stock to circumvent losses.
All in all, supply chain attacks lead to severe financial losses. In some cases, top executives may be forced to resign, as happened to the CEO of Target following a data breach.
How to Prevent Supply Chain Attacks
Businesses can prevent supply chain attacks by vetting their third-party code vendors. Before onboarding a new vendor, ask them detailed questions about their data security protocols and compliance with privacy regulations. Include specific security requirements and penalties for non-compliance in vendor contracts to mitigate the possibility of supply chain attacks.
How Does PerimeterX Prevent Supply Chain Attacks?