Today, the supply chain has become a prime target for cybercriminals. Organizations that fail to ensure they have suppliers and technology partners genuinely committed to cybersecurity risk operational disruptions, significant financial losses, and potentially severe reputational damage. In some cases, this could even lead to regulatory non-compliance and substantial penalties.
Recent cyberattacks on the supply chain in Spain and Latin America
In September 2024, one of Spain's leading energy providers suffered a cyberattack that partially compromised its electricity and gas customer database. This incident, which resulted in unauthorized access to personal information such as names, national identity card numbers, and addresses, occurred through one of its technology providers, highlighting how a vulnerability in the supply chain can lead to a security breach with significant consequences for the organization and its users.
Another example from Latin America occurred in September 2023, when a managed services provider was the victim of a ransomware attack that directly impacted multiple government entities and companies in countries such as Colombia, Chile, Argentina, and Panama. As a key player in the region's technological infrastructure, the cyberattack triggered a domino effect that disrupted services for numerous clients, demonstrating how a breach at one provider can quickly escalate and affect an entire network of interdependent organizations.
Worrying statistics
According to Statista, In 2023 alone, more than 245,000 malicious attacks were recorded against the open-source software supply chain, representing an increase of almost 2,801% compared to the previous year. Meanwhile, Gartner It predicts that by 2025, 451% of organizations worldwide will have experienced attacks on their software supply chains.
These trends reflect the growing threat that cyberattacks pose to the supply chain and the urgent need to implement robust cybersecurity measures to protect business operations.
What are the risks?
One of the main challenges organizations face in ensuring the cybersecurity of their supply chain is the lack of visibility and control over suppliers. Many companies lack effective mechanisms to monitor and assess the security of their business partners, making it difficult to identify potential threats early on.
Another critical problem is human error, responsible for between 75% and 95% of cybersecurity incidents, according to various studies. These errors include common practices such as opening malicious emails or misconfiguring systems.
Furthermore, reliance on outdated technologies exposes organizations to known vulnerabilities that attackers can easily exploit. Finally, failure to comply with current cybersecurity regulations, whether due to lack of awareness or resources, significantly increases companies' exposure to both legal and operational risks.
Solutions to protect the supply chain
To minimize the risks associated with potential cyberattacks in the supply chain, it is crucial to adopt solutions that optimize the cybersecurity of systems and safeguard the integrity of both the organization's data and its technological infrastructure. A fundamental aspect is verifying and requiring that our suppliers maintain at least a level of cybersecurity equal to or better than our own.
For example, investing in identity and access management (IAM) involves implementing multi-factor authentication and role-based access controls to limit the availability of sensitive information. Furthermore, continuous system monitoring is crucial for early detection of suspicious activity and rapid incident response. Digital surveillance services, in addition to those offered by Security Operations Centers (SOCs), often provide enhanced early detection capabilities, thus optimizing an organization's response to incidents that have not yet occurred.
Furthermore, we have seen how users themselves are targeted by these cyberattacks. This means that proper training and awareness of cybersecurity best practices for employees is essential to fostering a preventative organizational culture, which will make them our first line of defense.
Finally, it is necessary to conduct risk assessment and management through periodic audits to identify and correct potential vulnerabilities in the technological infrastructure, using tools such as services from pentesting. Similarly, and given the potential lack of transparency from some suppliers, there are digital monitoring systems that allow us to anticipate possible cybersecurity problems with suppliers, such as the theft of access credentials to our organization by the supplier or even measuring the average resolution time of incidents involving supplier credentials, among others.
Supply chain risk management through regulations
The SRI2 Directive The European Union's NIS2 directive, in force since January 2023, has established stricter cybersecurity requirements for companies in critical sectors. Its main focus is on supply chain risk management, where organizations must assess and mitigate risks associated with their suppliers and technology partners.
Another obligation imposed by this new regulation is the notification of significant security incidents within a specified timeframe. Failure to comply may result in penalties including fines of up to €10 million or 21% of global annual turnover, depending on the severity of the breach.
The implementation of this new NIS2 Directive represents a significant step forward in ensuring the cybersecurity of organizations, as it addresses fundamental aspects such as protecting human resources and managing the supply chain. To maintain the security of their operations and infrastructure, companies must adopt a proactive approach that allows them to comply with the established requirements and strengthen their defenses against potential cyber threats.
This preventative approach also involves alignment with other key regulations that strengthen digital resilience and data protection. For example, the General Data Protection Regulation (GDPR) establishes strict requirements on the processing and protection of personal data, while the regulations PCI-DSS, Focused on the protection of payment card data, it also has direct implications for supply chain security, as it requires rigorous controls over third parties that process, store or transmit sensitive information, forcing companies to carefully evaluate their suppliers and ensure that they comply with the required security standards.
In the financial sector, the DORA Regulations The Digital Operational Resilience Act (DORA) further strengthens these requirements by establishing a common framework for the digital operational resilience of financial sector entities and their critical ICT providers. DORA requires organizations not only to ensure the continuity of their services in the face of technological incidents, but also to monitor and manage the risks arising from their reliance on third-party technology providers, thereby aligning with the NIS2 principles on supply chain supervision.
Protecting companies' digital assets
The comprehensive cybersecurity solutions of Excelia They are specifically designed to strengthen our clients' cybersecurity. From specialized asset protection consulting to risk management and compliance (GRC), we design tailored strategies for each company. We implement solutions to ensure the security of information, networks, endpoints, and the cloud, protecting infrastructures against threats. Furthermore, we advise on compliance with all current regulations and offer threat intelligence and penetration testing to detect and mitigate risks before they occur.
Cybersecurity is no longer just an internal matter. It's a shared strategy built with everyone in your ecosystem. Only those who protect their entire network will be prepared to withstand the threats of an increasingly hostile environment.
