Physical and software supply chain risks make up an increasingly large part of the threat landscape. Here are the evolving risks – and solutions.
The increasing interconnectedness and dependencies in the modern world have created supply chain and partner risks for organizations that may go unnoticed until disruptive events occur.
Data from Cyble and others suggest that 40% or more of data breaches are supply-chain related. Software and physical supply chains are so fraught with risk and interdependencies that it can be difficult for organizations to stay on top of them, but there are steps companies can take to reduce those risks.
We’ll look at the state of supply chain and partner risk in 2024 – and what may be in store for 2025, along with some risk monitoring and management strategies that can help reduce those risks.
Software Supply Chain Attacks Evolve
Supply chain attacks burst into consciousness with the SolarWinds and Kaseya breaches of 2020-2021, and if anything, risk has increased since then.
While software update hacks like the one SolarWinds experienced are relatively rare, the fact is that software supply chain risks are so vast as to be underappreciated. Software, hardware, managed services, cloud services and SaaS applications are all part of the software supply chain, and all could introduce vulnerability risk.
IT vulnerabilities are some of the most sought-after by threat actors on dark web marketplaces because of their vast reach. Of 770 dark web claims involving U.S. entities that Cyble dark web researchers deemed credible enough to report to clients in the first 11 months of 2024, IT and IT services companies far outpaced the other 20 sectors studied (chart of the top 4 below).
| Sector | Dark Web Exploits |
| IT and IT Services | 146 |
| Government | 93 |
| Banking and Financial Services | 82 |
| Healthcare | 73 |
A vulnerability doesn’t need a million web-exposed vulnerable assets to be dangerous – or valuable. One of the most interesting examples of 2024 was a Versa Director zero-day vulnerability that had only 31 web-facing vulnerable instances – yet it apparently led to downstream customer attacks because some of those vulnerable instances belonged to internet service providers (ISPs) and managed service providers (MSPs).
While it wasn’t a supply chain attack, one of the biggest cyber incidents of 2024 was the faulty CrowdStrike update that hit roughly 8.5 million Windows machines – no incident better highlights the risky interdependencies of the software supply chain.
Other 2024 incidents that demonstrated the reach of the software supply chain included the CDK cyberattack that crippled North American car dealerships – showing the interconnected nature of the physical and software supply chains – and the Snowflake breach that exposed the data of 165 prominent organizations.
Even CISA and MITRE couldn’t escape software supply chain threats in 2024, as both got hit by Ivanti vulnerabilities.
Open source software – present even in many commercial products – is another software supply chain risk, making a software bill of materials (SBOM) an important protection against unknown vulnerabilities.
In fact, any ransomware or data breach that began with a vulnerability exploit – or escalated because of one – could be considered at least in part a software supply chain incident.
Physical Security: Not Just for Supply Chains
Physical supply chains face many risks – financial, geopolitical, operational, shipping, logistics, climate, natural disasters – that make planning and risk diversification and management especially important.
Physical security is important for supply chain management and function as well as for many other sectors and uses, including for critical infrastructure and executive travel. In recent years, an alarming rise in physical and geopolitical risk has been affecting all sectors, as well as increased risks for executives.
Access control applies to physical as well as virtual risks, and with physical threats increasing, locking down access to critical areas of your organization is an important security consideration.
Physical threat intelligence is an emerging tool for monitoring physical threats regardless of type and location, whether they affect a local office or warehouse or an executive on the other side of the globe. With advanced algorithms analyzing data from sources such as video surveillance, sensor data, and social media monitoring, these tools allow for rapid alerts, response and adjustments for greater control over physical and supply chain risks.
Controlling Supply Chain and Physical Risks
The software and physical supply chains can both be better protected with comprehensive threat intelligence platforms that include features such as:
- Third-party risk management (TPRM) tools that alert organizations to potential partner risks before they become a crisis;
- Physical threat intelligence for avoiding physical threats that could disrupt operations;
- Dark web monitoring for detecting leaks and threats before they become bigger issues.
One Cyble case study of a supply chain company documented a 45% drop in fraud and scams after the company implemented a threat intelligence solution that included partner risk management.
Understanding supply chain risk through tools like SBOM and TPRM are essential for controlling risk. Proper access control applies to both partners and users – third-party suppliers should be given only the access they need, and configuration and segmentation are other important security controls. Security can also be built into supplier contracts via service-level agreements (SLAs) and followed up with regular audits.
2025 Supply Chain Outlook
With a dramatic change in direction in the U.S. political landscape, 2025 may usher in even more volatility, and shifting global alliances and economic direction will make rapidly responding to business risks and threats more important than ever. Tariffs pledged by U.S. President-elect Donald Trump have the potential to disrupt both the supply chain and the economy.
And as cybercriminals and threat actors continue to weaponize AI to create increasingly sophisticated cyberattacks, 2025 will once again make a strong case for the comprehensive protection that AI-powered threat intelligence platforms offer.
