ThreatList: Supply-Chain Defenses Need Improvement

Few organizations are prepared to mitigate supply-chain risks, despite a majority of them acknowledging they are a huge cyber threat.

Although nearly 80 percent of respondents in a recent survey believe software supply-chain attacks have the potential to become one of the biggest cyber threats over the next three years, few organizations are prepared to mitigate the risks. This state of affairs comes as businesses lose millions every year in remediating these types of attacks.

That’s according to CrowdStrike’s global SupplyChain Survey, which polled 1,300 senior IT decision-makers. It found that a hefty two-thirds of the surveyed organizations experienced a software supply-chain attack in the past 12 months, as this chart shows:

Worse, the vast majority (87 percent) of those that suffered a software supply-chain attack had either a full strategy in place, or some level of response pre-planned at the time of their attack. This proved ineffective: On average, respondents from nearly all of the countries surveyed took close to 63 hours to detect and remediate an attack:

The impact is significant: 90 percent of respondents confirmed they incurred a financial cost as a result of experiencing a software supply chain attack. The average cost of an attack was over $1.1 million dollars. Further, companies felt a range of other damages:

“It’s clear that supply chain attacks are becoming a business-critical issue, impacting topline relationships with partners and suppliers but organizations largely lack the knowledge, tools and technology to be protected,” said Dan Larson, CrowdStrike’s vice president of product marketing. “Knowledge gaps and the lack of established standards to prevent complex supply-chain attacks are putting organizations at risk from a financial, reputational and operational perspective.”

At the same time, 71 percent believe their organization does not always hold external suppliers to the same security standards. Only 37 percent of respondents in the US, UK and Singapore said their organization has vetted all suppliers, new or existing in the past 12 months.

The good news is that following last year’s NotPetya attack and with the GDPR in effect, organizations are more concerned about vetting their suppliers and partners going forward, with 58 percent of respondents saying that they will be more rigorous when evaluating their security partners. Nearly 90 percent agree that security is a critical factor when making purchasing decisions surrounding new suppliers:

Yet, on a sobering note, only a quarter believe with certainty their organization will increase its supply chain resilience in the future.

And finally, while supply chain threats can occur in every sector of the economy, the industries that mostly experience these attacks are biotechnology and pharmaceuticals, hospitality, entertainment and media, and IT services.

Overall, supply-chain attacks are top of mind for decision-makers, and concerns abound:


Suggested articles

iot rsa conference 2019

Five Weakest Links in Cybersecurity That Target the Supply Chain

Third-party breaches have become an epidemic as cybercriminals target the weakest link. Organizations such as BestBuy, Sears, Delta and even NYU Medical Center are just a few that have felt the impact of cyberattacks through third-party vendors. The fallout from these breaches can be costly, as the average enterprise pays $1.23 million per incident, up […]


  • zelon88 on

    I had an issue one time at my company where a user reported that someone was using his machine remotely. I investigated and found that the machine was being accessed via our IT consultants user account from an IP located in India. I immediately quarantined the machine and started digging deeper. Later on I found the same IP's logging into our company servers at odd times, like 2 or 3 in the morning. I immediately raised a red flag and started digging everywhere on the network for more signs of unauthorized use. I also reached out to the IT consultants to see if they were aware of the access. About 10 hours later after my boss also reached out to them their CTO finally responded and admitted that they occasionally outsource their business to India. I was livid. Here I was preparing for a total lockdown and it turns out our vendor was emailing our domain admin password all over the world. To make matters worse the company at the time was preparing to become DFARS compliant, so this was a major concern for us. How can we trust this IT company to steer us down the right path when they're obviously taking a "do as I say, not as I do" approach to our companies security? Needless to say my boss was not satisfied with their answer. When they didn't have answers to my questions about what their internal WISP and Password Policies are we decided to sever ties. It was for the best.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.