The recent announcement by European Union Agency for Cybersecurity (ENISA) has found that 66 percent of supply chain attacks focus on the supplier’s code. The supply chain attacks are projected to quadruple by the end of 2021 as compared to last year.Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers.
ENISA says strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. It requires an urgent introduction of novel protective measures. Such attacks often go undetected for a long time, and, like Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers probably planning them well in advance.
This shows that organizations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.For about 58% of the supply chain incidents analyzed in the report, the assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.
Traditionally, cybersecurity incidents have involved direct attacks between malicious actors and their victims. With businesses becoming increasingly reliant on complex software supply chains, this is an important trend to follow, and one that should be factored into any cyber-risk management plans. The importance of this is underscored in the report which found that 2/3 of the software suppliers were unaware that they’d been compromised.
The report issues an extensive number of recommendations for customers to manage the supply chain cybersecurity risk and to manage the relationship with the suppliers. The report also suggests possible actions to ensure that the development of products and services complies with security practices. Suppliers are advised to implement good practices for vulnerability and patch management for instance.
