Cyber-criminals are focusing more on attacking firms in organisations’ supply chains, according to new research.
According to a survey of 1,300 senior IT decision-makers and IT security professionals, around 80 percent of respondents believe software supply chain attacks have the potential to become one of the biggest cyber-threats over the next three years, few organisations are prepared to mitigate the risks.
The global Supply Chain Survey from CrowdStrike interviewed respondents in the US, Canada, UK, Mexico, Australia, Germany, Japan, and Singapore across major industry sectors. It also found that two-thirds of the surveyed organisations experienced a software supply chain attack in the past 12 months. At the same time, 71 percent believe their organisation does not always hold external suppliers to the same security standards.
87% had a strategy in place
Nearly nine-in-ten (87 percent) of those that suffered a software supply chain attack had either a full strategy in place, or some level of response pre-planned at the time of their attack.
Only 37 percent of respondents in the US, UK and Singapore said their organisation has scrutinised all suppliers, new or existing in the past 12 months and only a quarter believe with certainty their organisation will increase its supply chain resilience in the future. When vetting suppliers, new or existing, UK organisations check for ‘Security software in use’ at 58 percent, against the global average of 52 percent or firms.
The research also found that the UK is more concerned than any other nation about ransomware (43 percent) with Singapore at 40 percent and the US at 23 percent.
The UK is the most likely (at 20 percent) to believe that attackers will target the organisation as a whole, rather than a particular target within. The UK is also the most likely nation to have paid a ransom to cybe-attackers in order to recover data encrypted in a software supply chain attack in the past 12 months (14 percent of organisations).
"It’s clear that supply chain attacks are becoming a business-critical issue, impacting topline relationships with partners and suppliers but organisations largely lack the knowledge, tools, and technology to be protected," said Dan Larson, CrowdStrike’s vice president of product marketing. "Knowledge gaps and the lack of established standards to prevent complex supply chain attacks are putting organisations at risk from a financial, reputational, and operational perspective."
Patrick Martin, cyber-security analyst at RepKnight, told SC Media UK that the key to reducing the threat of supply chain breaches is to monitor your data outside the firewall and not just protect your network.
"There’s now software available that can continuously monitor the dark web, and let you know immediately if you’re company data appears anywhere it shouldn’t. Investing in dark web monitoring will ensure that you’ll be the first to know when you’ve suffered a data breach. After all, if you’re in the know, you can do something about it," he said.
"You would be shocked by the number of companies who do not have a complete list of their suppliers."Alex Hollis, GRC solutions director at SureCloud
Alex Hollis, GRC solutions director at SureCloud, told SC Media UK that securing the supply chains starts with identifying the suppliers, starting with those who are crucial and have any trusted access to data. "You would be shocked by the number of companies who do not have a complete list of their suppliers," he said.
"Once you know who you work with, drafting a simple assessment that asks about key controls and processes that are in place is essential. This should be sent out to the vendors and responses carefully reviewed before working together to address any risk areas.
In its most straightforward form this can be (and in a lot of organisations is) an Excel spreadsheet sent over email. The questions will mature over time as you start asking about more areas, but you should be sure to only ask the necessary questions of vendors. Flooding vendors with questions leads to low-quality answers due to assessment fatigue."