According to a survey by Gartner Inc., 45% of companies have experienced operational disruptions due to third parties. The ENISA (European Union Agency for Cybersecurity) report reveals that 39% (WEF, 2022) and 62% (Anchore, 2022) of surveyed companies were affected by cyberattacks involving third parties.
Suppliers, as integral parts of your supply chain, present significant risks to your company. If one of these business partners employs insufficient cybersecurity practices, it can lead to major threats, such as the spread of malware in the network. The list of cyber risks that can impact companies and individuals is extensive:
Phishing and Spear-Phishing: Fake emails or messages posing as trusted sources to steal sensitive information.
Ransomware Attacks: Malware that encrypts files, released only upon payment of ransom.
Malware: Software that infiltrates systems to steal data, disrupt networks, or launch further attacks, including Trojans, viruses, and spyware.
DDoS Attacks (Distributed Denial of Service): Overloading a system or network to disable it and impact service availability.
Zero-Day Attacks: Exploiting security vulnerabilities before they can be patched.
Insider Threats: Employees or partners who intentionally or unintentionally create or exploit security gaps.
Man-in-the-Middle Attacks: Intercepting and manipulating data transmissions between two communication partners.
SQL Injection: Attackers inject SQL commands into an application to manipulate databases or retrieve sensitive data.
Password Theft and Brute-Force Attacks: Attempts to steal passwords or discover them through repeated guessing.
Social Engineering: Techniques to deceive and manipulate people to gain access to confidential information.
APT (Advanced Persistent Threat): Long-term, targeted attacks on specific organizations to gather confidential data over time.
Cloud Security Vulnerabilities: Risks arising from misconfigurations and weaknesses in cloud services, allowing unauthorized access.
IoT Threats (Internet of Things): Attacks on connected devices, often vulnerable due to insufficient security measures.
Cryptojacking: Unauthorized use of IT resources for covert cryptocurrency mining.
Firmware and Hardware Exploits: Attacks on the software and hardware of devices to manipulate the system or take control.
Supply-Chain Attacks: Compromising third-party providers or suppliers to gain access to a target organization.
Data Breaches and Information Loss: Unintentional disclosure of sensitive data, whether due to misconfiguration, cyberattacks, or human error.
Deepfake and Digital Manipulation: Using artificial intelligence to create fake media content for disinformation or fraud.
BYOD (Bring Your Own Device) Risks: Security vulnerabilities introduced by employees' personal devices, which are difficult to control.
Shadow IT: Use of unauthorized IT systems or applications that are unsecured and can lead to security issues.
These risks highlight the variety of threats in the cyber world and the importance of effective security measures to prevent damage. Consequently, regulators are increasingly demanding cybersecurity and resilience measures.
NIS-2 – Enhanced Cybersecurity Across the European Union
The NIS-2 Directive (Network and Information Security Directive 2) came into effect on January 16, 2023, aiming to improve cybersecurity and the protection of critical infrastructures. It expands the original NIS directive and mandates stricter security measures and incident reporting obligations for a larger number of companies and organizations in essential and important sectors (e.g., energy, healthcare, transportation, digital services).
Key changes include:
Extended Scope: In addition to critical infrastructures, companies in areas such as public administration and research are now required to implement security measures.
Stricter Security Requirements: Organizations must implement risk analysis, vulnerability remediation, and risk mitigation measures, and regularly update their cybersecurity strategy.
Reporting Obligations: Companies must report serious cyber incidents and security breaches within 24 hours to enable a quick response.
Higher Penalties: Non-compliance with security requirements may result in significant fines.
Cooperation and Information Sharing: The directive promotes cooperation among EU member states to collectively combat threats.
The NIS-2 Directive aims to strengthen cybersecurity within the EU and improve the protection of critical services and infrastructure against cyberattacks. All affected companies and organizations have until 2024 to implement the new requirements.
Risk Management Measures Under NIS-2
Article 21 of the NIS-2 Directive emphasizes security requirements in the supply chain and the monitoring of suppliers and service providers. The goal is to better control risks in the supply chain and minimize vulnerabilities arising from third parties. Affected companies must therefore take steps to ensure the security of their suppliers and service providers concerning cybersecurity.
Specifically, Article 21 covers:
Supply Chain Risk Assessment: Companies are required to assess potential security risks when selecting and managing suppliers. The risks suppliers pose to the company's IT systems must be systematically monitored and minimized.
Supplier Contracts: Companies should implement contractual agreements to ensure that suppliers and service providers also adopt appropriate security measures. This is to maintain standards throughout the entire supply chain.
Continuous Monitoring: Companies must establish mechanisms to regularly review the security measures of their suppliers, ensuring that current security standards are upheld by partners as well.
Crisis Management and Incident Response: Companies should ensure that suppliers and service providers have appropriate emergency and response plans to respond quickly and coordinatedly in the event of a cyber incident.
Through Article 21, the NIS-2 Directive strengthens the security of the entire supply chain and reduces the risk that vulnerabilities or weaknesses in suppliers and service providers could endanger the company itself.
How scrioo Assists in Identifying Cyber Risks in the Supply Chain
While many cybersecurity solutions focus on software analysis, access control, physical security, system procurement, or maintenance procedures, scrioo conducts global real-time media monitoring and analysis. Over 180 million online sources worldwide are monitored in or near real-time regarding suppliers, their products, and cyber risks. For example, it might detect an attack in a forum post that the manufacturer or supplier is not yet aware of, serving as a highly effective early warning system.
Moreover, potential economic risks in partners that could impact service quality, product security, or availability are identified, such as high employee turnover, legal disputes, or sudden management changes. Additionally, broader risks, such as natural disasters that might affect the provider, are monitored. When a new risk is identified, scrioo immediately sends an alert via email.
The platform goes beyond risk identification. You can directly forward identified risks from the platform to the service provider, requesting a statement. Risks can also be analyzed across all service providers, or specific risk types can be assigned to designated internal staff. All activities are reliably documented and can be included in reporting.
Comments