How Supply Chain Attacks Are Exacerbating the Threat Landscape
Everyone’s talking about the supply chain crisis: overloaded ports, striking truck drivers, shuttered factories to deal with the Delta variant. But there’s another threat facing our supply chains. Supply chain attacks are on the rise, as well. What’s the cybersecurity threat landscape for supply chains look like?
Supply chain attacks on the rise
According to late July report from the European Union Agency for Cybersecurity (ENISA), the threat landscape looks bad – very bad and likely to get worse.
How so? The report, entitled Thread Landscape for Supply Chain Attacks, analysed 24 incidents, coming up with a troubling conclusion; turns out, strong security protections aren’t enough when bad actors shift their focus to suppliers.
Underscoring the threat risk are projections that supply chain attacks are set to multiply by a factor of four this year (compared to 2020). In the words of Juhan Lepassaar, EU Agency for Cybersecurity Executive Director:
Due to the cascading effect of supply chain attacks, threat actors can cause widespread damage affecting businesses and their customers all at once. With good practices and coordinated actions at EU level, Member States will be able to reach a similar level of capabilities raising the common level of cybersecurity in the EU.
Further, the threat is so distressing, because organisations are only as protected as their suppliers, whom attackers can target. Indeed, to compromise organisations, attackers have been doing just that – using a suppliers’ code in about 66 per cent of incidents.
Even worse, in two thirds of supply chain attacks, suppliers didn’t know or failed to report on how they were compromised. The gap in maturity in cybersecurity incident reporting between suppliers and their customers was also found to be staggering.
Another issue picked up in the report: in nearly 60 per cent of supply chain incidents, customer assets targeted were predominantly customer data.
Measures to combat the risk of supply chain attacks
Besides validating third-party code and software, what else can organisations do to combat the supply chain threat? The report lays out recommendations for EU member states, customers (or individual organisations), and suppliers.
For the customers and suppliers, respectively, recommendations include:
Finally, the supply chain risk isn’t just that goods aren’t getting where they need to go. Providers are being targeted by cyber actors, too. Organisations and consumers who rely on those providers need to be prepared, updating their crisis and business continuity plans to reflect the threat. For more on how to go about it, download our guide to the Suez Canal Blockage crisis.