Attacks on supply chains have become commonplace in recent years, as exploiting both upstream and downstream weakness becomes increasingly attractive to cybercriminals.
This is because it gives them opportunities to gain traction in entire ecosystems of partners, suppliers, employees, and customers, and not just power over individual organisations.
The increased digitisation of supply chains, and supply chains in which data and software-driven processes are at least as important as unit-shifting and logistics, make the problem more acute for leaders seeking to combat organised or opportunistic crime.
These points are underscored by a new survey of security professionals from the Neustar International Security Council (NISC) / Neustar Security Services.
It finds that over three-quarters of businesses (76 percent) see supply-chain security as a top priority, with nearly as many (73 percent) believing they are exposed to greater risk via their software or service-provider partners, especially now processes have moved to the cloud.
According to NISC, over three-quarters (78 percent) of security professionals say their company’s reliance on cloud-based services has increased (40 percent greatly), while two-thirds say their reliance on third-party service providers has grown (27 percent greatly).
Addressing a specific supply-chain vulnerability – the late-2021 attacks on open-source utility Log4j, which allowed attackers to remotely execute code – NISC found that just 37 percent of respondents believe they have fully addressed the risks they present.
Log4j attacks have so far been linked to a range of cybercrimes, including ransomware and crypto-jacking, but other long-term effects may yet come to light.
Nearly one-quarter of respondents (24 percent) say that supply-chain partners have yet to address Log4j vulnerabilities, while 43 percent are unsure if they have. This suggests that certainty, trust, and control may be absent in many extended enterprises.
However, the good news is that 77 percent of respondents say they have increased the rigour of their due diligence processes for external partners as a result of the Log4j vulnerability, and recent attacks against providers such as SolarWinds and Kaseya.
Among other findings, 85 percent of the enterprises surveyed report having been on the receiving end of a distributed denial of service (DDoS) attack.