Deepening currents: What you need to know on managing supply chain risk in 2024 

Security leaders have known - all too well - the progressive rise of third-party cyber risk and its subsequent management challenges.  

In today’s ever-changing digital world, the cyber risk landscape is ever more complex and filled with even deeper and more complex supply chain layers beyond third parties.  

In our latest edition of research on multi-party cyber incidents, “Ripples Across the ATTACK Surface”, RiskRecon by Mastercard, and Cyentia Institute collaborated on a study that dives into the current state of supply chain risk management. By assessing nearly 900 historical multi-party breaches, we identified the top MITRE ATT&CK techniques used by cyber criminals, and other safeguarding insights to help ensure organizations don’t get caught in the wake of a supply chain cyberattack.  

Deepening currents and managing risk

Increasing depths 

Ripple events have become more common as businesses evolve and adapt to keep up, weaving complex digital interdependencies with each other.  

Based on our previous analyses, multi-party incidents have increased at an average rate of 20% per year over the last decade. 

Challenge 

Recent multi-party breach events have had serious and far-reaching consequences demonstrating how cyber risk can originate in supply chain layers beyond immediate third parties. In fact, 65% of an organization's assets sit on infrastructure owned by an external entity or supply chain vendor. However, organizations are less likely to know who those supply chain vendors are, let alone receive rights to audit or risk assess them directly – leaving your organization exposed to a potential backdoor supply chain cyberattack. 

Making waves 

Ripple events are particularly concerning because their impact can spread beyond the initial victim and have far-reaching consequences. One of our standout findings examined roughly 900 breach events. The Ripple Effect from these events generated downstream effects that impacted nearly 6,000 other organizations.  

Additionally, the median financial loss for multi-party events is $1.4M, compared to $191K for a single-party incident - meaning in addition to the reputation damage and disruption to the business or consumer, a multi-party security incident typically costs seven times more than a single-party event.  

Attack Styles  

The following attack styles were identified as being commonly used by cybercriminals: 

  • System Intrusions: System intrusions are the riskiest type of ripple events, surpassing all others in frequency, total financial losses, and the number of third parties impacted.

  • Valid User Targeting: Targeting valid user accounts and exploiting trusted third-party relationships are the most common initial access techniques leading to ripple events.

  • Public-facing Application Exploitation: Exploiting public-facing applications results in the largest proportion of financial losses from multi-party security incidents.

  • Malicious Code Injection: Malicious code injection and obfuscation were associated with 100% of reported financial losses and 87% of third parties impacted by multi-party security incidents. 

 

How to stay protected  

In an era where cyberattacks are becoming increasingly sophisticated and prevalent, a proactive approach to cybersecurity is essential. 

At Mastercard trust is our business. By using our advanced AI and extensive knowledge of payment transactions we can examine the entire digital environment, including the supply chain to identify the weak spots. This goes beyond your third-party vendors to their third-party vendors, your fourth-party vendors. With this overview, our customers have a comprehensive view of their supply chain risks and vulnerabilities. This allows them to better understand their exposure to cyber risk and address critical issues quickly, protecting trust within their supply chain, and their customers.  

Our evaluation process includes potential risk from all sources which includes companies within the supply chain that might not be under direct monitoring by agencies. This thorough risk assessment process incorporates entities that may be overlooked by more traditional monitoring methods and provides businesses with a comprehensive assessment of risk allowing them to proactively address risks from a less obvious source.  

The final step in this process is to identify potential access points for attackers. We provide insights that help organizations identify potential access points, or chinks in the armor that could be exploited. This insight empowers businesses to not just address existing vulnerabilities but also address areas that could be exploited in the future.