Back to Hub

Are Companies Doing Enough to Prevent Software Supply Chain Attacks?

08/13/2018 By

Software supply chains are at ever higher risk of cyberattacks, a recent report from the U.S. National Counterintelligence and Security Center (NCSC) has warned.

With seven significant events reported last year — compared to four between 2014 and 2016 — 2017 “represented a watershed in the reporting of software supply chain operations.” NCSC notes that “software supply chain infiltration already threatens the critical infrastructure sector and is poised to threaten other sectors.”

As companies work and share their data with an increasing number of vendors, their risk of falling victim to a software supply chain attack rises dramatically.

In the CCleaner malware case, hackers gained access to companies including Intel, Samsung and Sony. FedEx and Maersk lost about $300 million each as a result of the NotPetya cyberattack. Hundreds of companies across industries were affected as a result of corrupted NetSarang software. And this was all only last year.

Although the threat of cyberattacks is well publicized and two-thirds of respondents in a recent CrowdStrike survey say that their organizations have experienced a software supply chain attack, only 49% have a comprehensive strategy for dealing with a potential breach.

Nevertheless, supply chain attacks elicit somewhat less concern among the 1,300 IT security professionals and senior decision makers who took part in the survey, compared to other types of cyberattacks, such as ransomware. Fifty-six percent of the respondents consider their organization to be at high or moderate risk of supply chain attacks.

Source: CrowdStrike

The biotechnology and pharmaceutical sector is particularly vulnerable to software supply chain attacks, with 82% reporting that they have experienced one (45% have experienced such an attack within the past 12 months). Hospitality, entertainment, media, IT services and telecom sectors also experience high rates of supply chain attacks. The financial repercussions of these attacks are not trivial, costing companies $1.1 million on average.

Are Companies Adequately Prepared?

Although four out of five respondents agree that software supply chain attacks “have the potential to become one of the biggest cyber threats to organizations” in the next three years, 62% note that their executive leadership isn’t aware of the risk posed by such attacks. Furthermore, organizations do not always take software supply chain security into account when making IT spending decisions.

Despite this, only 35% consider the prevention of supply chain attacks as one of their top three areas of focus when it comes to IT security. Only 32% of respondents report that their organizations have vetted all of their suppliers within the past 12 months, with 5% saying that they have not vetted any of their suppliers during this period.

Among the companies that do vet their suppliers, internal security standards and security software in use are two of the most common things that organizations check for. Only 28% look at the supplier’s relationship with its own suppliers.

“While many organizations are vigilant when vetting the suppliers in their immediate vicinity, as the circle widens, the level of vigilance appears to drop,” the report notes.

The good news is that more organizations are being proactive about supply chain security. Thirty-one percent of the respondents say that their organization’s board has become more involved following the NotPetya and WannaCry cyberattacks.

Source: CrowdStrike

As the chart above shows, organizations are also looking to new technologies in their defense against supply chain attacks, with artificial intelligence and machine learning sparking the most interest. A remarkable 44% report that they plan to implement AI as part of their IT security in the next 12 months.

The U.S. National Counterintelligence and Security Center report can be found here. Also check out the full survey results from CrowdStrike.