Existing without cyber risk is impossible in today’s digital and interconnected world, and public entities are no exception; in 2024, 34% of state and local government organizations were hit by ransomware. These risks can also be costly: the mean cost in state and local government organizations to recover from a ransomware attack was a staggering $2.83M in 2024, more than double the $1.21M reported in 2023.
These attacks, though, don’t always come from a flaw inside your organization. Sometimes, the way in is through a vendor or third party you’ve given access to your systems. And if they get breached? So do you. It’s a particularly difficult area of risk to manage, because instead of only having to take care of the vulnerabilities within immediate sight, supply chain risk means that you have to trust that someone else is managing their exposure as well. Would you trust the painters to lock your house after they leave?
And the truth is, supply chain risk isn’t some niché problem – it’s exactly the kind of weak spot today’s cybercriminals are looking to exploit. These aren’t basement hackers anymore; the threat landscape has changed, and the bad guys have seriously leveled up.
In recent years, the sophistication and frequency of cyber threats have grown exponentially. Cybercriminals are no longer just isolated hackers working alone but are often part of organized crime syndicates or even state-sponsored groups. These attackers use advanced techniques such as phishing, malware, and ransomware to infiltrate systems, steal sensitive data, and disrupt operations.
Plus, it’s not just companies in the private sector with billions of dollars in turnover that get targeted; municipalities and public entities also have a vast supply of valuable data and perform such crucial public functions that they make incredibly tempting targets for cybercriminals. No entity is safe! Public entities of all kinds hold sensitive information, such as student or client information, financial data like tax records, and medical records. In our digital age, these entities rely heavily on their cyber infrastructure and connectivity to operate smoothly.
This dependency makes them particularly vulnerable to cyberattacks. We can see a clear correlation between ransomware attacks and their targets being public entities, which often find themselves choosing to pay a ransom over having their crucial operations interrupted for days, weeks, or even months. Imagine a school system being unable to access student records during exam season, or a city’s tax office being unable to process payments right before the deadline. Paying ransoms, however, is not the answer; it not only emboldens cybercriminals to strike again, but it also doesn’t guarantee the safe return of your data or the restoration of your systems, leaving organizations vulnerable to further exploitation. The disruption caused by such attacks can still be catastrophic, not just financially, but also in terms of public trust and safety.
For instance, local governments manage critical infrastructure such as water treatment plants, public transportation systems, and emergency services. A successful cyber attack on any of these can have dire consequences for public safety and well-being. Additionally, public entities often face budget constraints and may not have the latest cyber defenses in place, making them easier targets compared to well-funded private corporations. The need for a robust and proactive cyber risk management strategy in the public sector has never been more urgent.
Example cyber attack: a wake-up call for the industry In 2023, a significant cyber attack hit multiple government agencies, serving as a stark reminder of the vulnerabilities within public sector supply chains. Russian cyber criminals exploited a vulnerability in MOVEIt, a software so widely used by federal organizations that it affected almost every level and sector of government. The repercussions were enormous, with over 600,000 government emails leaked and more than 2,000 organizations breached. The data of 62 million people, including sensitive medical information from over 3 million newborns and pregnant patients, was accessed. For many, the impact is still being felt to this day; such exposure of sensitive personal information could mean identity theft, fraud, and a loss of confidence in governing bodies.
This supply-chain breach not only compromised individual privacy but also led to extensive legal consequences. A slew of litigation followed, including class action lawsuits and the introduction of new SEC requirements around data breach disclosures for all organizations, which comes with significant political and economic implications. The breach of government emails and sensitive personal data shook public confidence in the security of federal systems. Organizations have now been forced to reassess their security measures, implement stricter controls, and invest in advanced technologies to detect and mitigate threats; for instance, the SEC now requires public companies to disclose a cybersecurity incident within four days of discovering it.
The MOVEIt attack demonstrated how a single vulnerability in widely-used software in an organization’s supply chain or third-party vendors could cascade into a massive security breach with far-reaching impacts, therefore highlighting the critical need for robust cybersecurity measures and underscored the importance of proactive cyber risk management. The attackers’ penetration of the supply chains of federal organizations revealed how interconnected and interdependent our digital ecosystems have become, and that even a small weakness in one part of the supply chain can be exploited to gain access to a wealth of sensitive information across multiple entities. In response to such wake-up calls, public entities must prioritize proactive cyber risk management at all levels. But how can organizations do this, especially with limited resources?
As public entities navigate the digital landscape, it’s clear that completely preventing cyber attacks is a tall order. However, a multi-faceted strategy is essential for withstanding various digital threats.
Here are some proactive measures public entities and their suppliers can implement to better safeguard against cyber incidents:
• Conducting due diligence and risk assessments: One key lesson from cyberattacks is the need for comprehensive risk assessments that cover the entire supply chain. Public entities must evaluate the cyber risk posture of their potential and existing suppliers, vendors, and partners.
This means understanding their current security measures, identifying potential vulnerabilities, and enforcing risk mitigation strategies. Regular audits can help identify weak spots and ensure continuous improvement in cyber defenses. When choosing contractors, easy-to-use cyber risk reports for potential vendors can aid in making informed decisions.
• Enhancing third-party risk management: Third-party cyber risk management is crucial for mitigating supply chain cyber risks. Contracts should include stringent criteria for selecting and onboarding suppliers, such as specific cybersecurity requirements that are in line with the data protection standards that the organization is required to adhere to. Regular security audits, tested backup and recovery processes, and incident response protocols are also all essential. Continuous monitoring of third-party risk exposure can proactively identify vulnerabilities and weaknesses, strengthening the security posture of the entire supply chain.
• Limiting suppliers’ access to critical assets: Implement the “principle of least privilege” and adopt a zero-trust approach. By limiting suppliers’ access rights to the absolute minimum necessary, the attack surface is reduced, and potential damage from compromised accounts is mitigated. This approach involves continuously verifying the identity and integrity of users and devices, ensuring that only authenticated and authorized users can access critical systems.
• Business continuity plan and recovery: Cyber resilience goes beyond prevention; it includes the ability to respond to and recover from cyber incidents. Robust business continuity, incident response, and disaster recovery plans are essential and should be regularly tested and updated. Additionally, organizations should implement redundancy measures, such as backup systems and alternative core network services, to minimise disruptions during cyber incidents.
• Fostering a cybersecurity culture: Cultivating a cybersecurity-aware culture within organizations means the workforce can act as the first line of defense against cyber threats. This involves training staff to recognise and report suspicious activity. Implementing security software, services, and processes is necessary, but becomes redundant when someone writes down their credentials on a sticky note and leaves their desk. Leadership should allocate resources to foster cyber vigilance.
Collaborating for collective defense In an era of digital interconnectivity, cyber threats are a shared challenge that requires collective defence efforts. Public entities should actively participate in information-sharing initiatives and collaborate with peers, government agencies, and cyber risk management experts. This collaboration leads to easier and earlier identification of emerging threats, the development of industry-wide best practices, and coordinated responses to cyber incidents.
Each cyberattack underscores the critical importance of effective supply chain cyber risk management. The journey to a secure and resilient public entity ecosystem begins with recognizing the significance of supply chain cyber risk and taking decisive action to mitigate its impact. At KYND, we understand the importance of seeing, understanding, and managing cyber risks – including those across your supply chain.
If you'd like to learn more about how KYND's technology can help you stay ahead of cyber risk in the supply chain, reach out to our team of experts for comprehensive information about our cyber risk management services. Managing supply chain cyber risk doesn’t have to be overwhelming, so we've created a helpful checklist to guide you on your way.