Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Software Supply Chain Increasingly Targeted in Attacks: Survey

Organizations increasingly have to deal with cyberattacks targeting the software supply chain and in many cases they are not adequately prepared to respond to such incidents, according to a report published on Monday by endpoint security firm CrowdStrike.

Organizations increasingly have to deal with cyberattacks targeting the software supply chain and in many cases they are not adequately prepared to respond to such incidents, according to a report published on Monday by endpoint security firm CrowdStrike.

In supply chain attacks, malicious actors target software makers in an effort to modify their products so that they perform malicious actions of provide a backdoor into the targeted environment.

The NotPetya attack, which involved a Ukrainian tax software firm, and the CCleaner incident, which involved hacking of distribution servers at Piriform, are some of the most well-known examples, but supply chain attacks are becoming increasingly common.

Vanson Bourne, on behalf of CrowdStrike, surveyed 1,300 senior IT decision makers and security professionals in the U.S., Canada, Mexico, the U.K., Australia, Japan, Germany and Singapore in April and May.

The Securing the Supply Chain report shows that roughly one-third of organizations are concerned about supply chain attacks, with 18% and 38% saying that the risk is high and moderate, respectively.

Approximately two-thirds of respondents have experienced some form of supply chain attack. The biotechnology and pharmaceutical sector takes the lead with 82% of organizations encountering such an incident, including 45% being hit in the last 12 months. Other sectors more likely to encounter supply chain attacks include hospitality, entertainment and media (74%), IT and technology (74%), engineering (73%), healthcare (70%) and insurance (68%).

Supply chain attacks

On average, organizations believe it would take them 10 hours to detect an incident, 13 hours to react, 15 hours to respond, and 25 hours to remediate it, which totals 63 hours, the report shows.

A vast majority of respondents that have encountered a supply chain incident reported a financial impact, with an average cost of roughly $1.1 million. The highest costs were reported by the hospitality, entertainment and media sector ($1.44 million) and the lowest in the government sector ($329,000).

Advertisement. Scroll to continue reading.

Some companies have also paid a ransom to recover from a supply chain attack, with many respondents saying their own organization or others in their industry had paid.

In addition to financial loss, organizations experienced various types of drawbacks following an attack, including the necessity to completely rebuild IT systems (36%), spend more on security (36%), and service/operations disruption (34%).

When it comes to response strategies, over one-third of respondents said they had a comprehensive strategy in place when they suffered an attack and more than half had some level of response pre-planned.

Trust in suppliers is not very high, with only 35% of respondents saying they had been totally certain they would be informed of a cybersecurity incident. On the other hand, 39% of those surveyed said they had lost trust in a supplier over the past year.

Less than a third of the organizations that took part in the survey vetted all suppliers in the past 12 months, and the high profile attacks that came to light last year made the vetting process more rigorous in 59% of cases. Executives have also started changing their attitude in regards to this threat, with 31% becoming more involved, 49% planning to become more involved, and 13% taking more of an interest.

Related: Mitigating Risk of Supply Chain Attacks

Related: Travel Agent Association Breach Highlights Supply Chain Threat

Related: Supply Chain Attack Spreads macOS RAT

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.