The dangers posed by compromised contractors and other suppliers aren't well documented across all industries. Studies like the Verizon Data Breach Investigations Report are typically skewed toward the retail and financial sectors, because they must report breaches that involve consumer data. Other industries aren't required to report incidences and often don't.
Attacks by insiders and suppliers are notoriously underreported. More than 75% of all insider attacks, which include contractors with insider access, weren't reported, according to the 2011 CyberSecurity Watch Survey, conducted by CSO Magazine, Deloitte, the Software Engineering Institute's CERT program at Carnegie Mellon University, and the U.S. Secret Service. The most common reasons survey respondents say they decided not to prosecute: Provable damages didn't meet the threshold required for law enforcement action, there wasn't enough evidence, and they feared damage to their company's reputation.
More than half of the companies surveyed say their biggest supply chain security concern is with vendors; their second biggest concern is with contractors.
The threat from the supply chain isn't new. "We have seen this problem from day one," says Joji Montelibano, a lead researcher for the Insider Threat Lab at CERT. "It has always been there, and it's always been big."
In one case documented by CERT, a power company contractor was dissatisfied with his employer. The employer revoked his credentials but didn't notify the power company. The contractor used his credentials with the power company to shut down its systems in retaliation against his former employer, Montelibano says. --Robert Lemos