Surge in Software Supply Chain Attacks

Surge in Software Supply Chain Attacks

The results of a newly released global supply chain survey showed that companies lack both visibility and awareness when it comes to identifying and combating software supply chain attacks.

CrowdStrike, in conjunction with research firm Vanson Bourne, surveyed 1,300 senior IT decision makers and professionals across industry sectors from organizations around the globe. They found that nearly 80% of respondents believe software supply chain attacks have the potential to become one of the biggest cyber-threats over the next three years.

Despite that belief, few organizations have the ability to mitigate the risks from downline vendors. According to the report, 71% of respondents believe their organization does not always hold external suppliers to the same security standards even though 66% of the organizations surveyed said they had experienced a software supply chain attack in the past 12 months.

“Once a supplier is compromised, the attackers can modify trusted products to perform malicious actions or provide a backdoor to the target environment. Unaware of these malicious changes to their applications, suppliers unwittingly deliver them to their trusting clients as legitimate software updates,” CrowdStrike’s Dan Larson wrote in today’s blog post.

Survey results also found that of those organizations that suffered a supply chain attack, 90% had suffered a financial loss as a result of the attack, the average cost of which was over $1.1m. The vast majority (87%) were prepared with some level of a response plan, yet only 37% of respondents in the US, UK and Singapore had done their due diligence and vetted their suppliers.

On average, it took companies nearly 63 hours to detect and remediate software supply chain attacks.

“Fast-moving, advanced threats like supply chain attacks require organizations to adopt new best practices in proactive security and incident response,” Shawn Henry, president of CrowdStrike Services and chief security officer said in a press release. “The new attack methods we see today call for coordinated, efficient and agile defenses.”

Source: Information Security Magazine