US-based cybersecurity firm, CrowdStrike, published a report that highlights the next set of emerging attack vectors on UK businesses – the software supply chain. The report, published on Monday 23rd July claims that UK businesses are increasingly at risk of losing millions of pounds due to cybersecurity standards.
CrowdStrike surveyed over 1,300 senior IT decision-makers and cybersecurity professionals from a host of nations, including; Canada, Mexico, Australia, Germany, Japan, Singapore, the UK and United States.
Recent Escalations
Following the recent high profile Ticketmaster breach – which was a prime example of a supply chain attack in action – the CrowdStrike report states: “Software supply chain attacks are the next big emerging attack vector with the potential to cost organisations millions in damage.”
80% of respondents to the survey said they believed software supply chain attacks have the potential to become one of the most concerning cyber threats over the next three years. Additionally, 90% of respondents confirmed they had incurred significant financial costs as a result of experiencing an attack of this kind; with the average cost standing at around £835,000.
The report suggested that on a global scale, organisations recognise that they have critical cybersecurity weaknesses but lack the visibility, tools, technologies or security practices to mitigate or adequately defend against supply chain attacks.
UK Insights
According to the survey, only 37% respondents in the UK, US or Singapore acknowledged that their organisation would be willing to vet all suppliers – new or existing – and only one-quarter believe that their supply chain resilience will improve in the near future.
Compared to some global counterparts, however, organisations in the UK take the software supply chain seriously. The report highlights that 37% of UK organisations said they had vetted their software suppliers for security purposes in the past 12-months, bringing the nation joint-first with the US and Singapore.
Additionally, the UK appears to be far better prepared in regards to security planning than any other nation polled; with 61% of UK organisations adequately prepared, compared to a global average 56%.
Prepared for Ransomware?
Ransomware attacks have become increasingly common in the past 18-months, with high-profile attacks such as WannaCry or NotPetya having devastating effects on organisations across the UK.
The NHS, in particular, was affected by the WannaCry attacks, which brought operations to a halt in some areas and forced hospital staff to resort to pen and paper during their shifts.
According to the report, the UK is more concerned than any other nation about the growing threat of ransomware, with 43% of respondents highlighting this particular cyber attack method as a primary worry. In the US, however, just under one-quarter of organisations said they were concerned about ransomware – suggesting a disparity in national views toward specific methods of attack.
Although the UK is concerned about this attack method, the report also highlights concerning habits among businesses and organisations when dealing with the issue. The UK is highlighted as the nation most likely to have paid a ransom to cyber attackers in order to recover hijacked data in a software supply chain over the past 12-months.
Federico Charosky, Managing Director at Quorum Cyber, believes that the evolution of supply chain attacks comes as no surprise – and actually makes sense from an attackers perspective.
He said: “Supply chain has been a major concern for a while now – operation Cloud Hopper is a good example. The fact that the threat is moving from managed services to software makes sense and should not come as a surprise. If you think about it, a similar vector was already taking place with “watering hole” attacks, where an attacker compromises a valid website to distribute malware to its visitors.
“Targeting commonly used software (or websites) is a great was of indirectly attacking a large volume of users.”
Charosky suggested that supply chain attacks place pressure on both software developers and businesses. He asserts that software developers need to realise that they are a potential threat to their own customers and that for businesses there is an ever-increasing need for technical due-diligence and new threat models.
Key Hurdles
According to the survey, organisations across the globe face key hurdles in regards to cybersecurity, specifically the detection of threats and their subsequent response.
Cyber protection was being hampered by slow detection rates and response times were often identified as below adequate. A lack of comprehensive security vetting practices for suppliers and third-parties is also affecting businesses and exposing them to critical losses.
On average, respondents from virtually all of the countries surveyed take nearly 63 hours to detect and remediate a software supply chain attack.