web analytics

Supply chain attacks surge with orgs ‘flying blind’ about dependencies – Source: go.theregister.com

supply-chain-attacks-surge-with-orgs-‘flying-blind’-about-dependencies-–-source:-gotheregister.com
Rate this post

Source: go.theregister.com – Author: Connor Jones

The vast majority of global businesses are handling at least one material supply chain attack per year, but very few are doing enough to counter the growing threat.

New research from SecurityScorecard shows organizations and their security leaders are gravely concerned about supply chain risks. 88 percent of the 550 CISOs and other security higher-ups surveyed expressed worry over supply chain security, but far fewer than half actually monitor security fully across their external suppliers.

Nearly four in five organizations (79 percent) say that less than half of their nth-party supply chain – “nth-party” refers to the dependents and dependencies of their third-party suppliers – is overseen by a cybersecurity program.

“This means the vast majority of organizations are flying blind when it comes to securing the supply chains that keep their businesses running,” said SecurityScorecard in its report.

“In fact, 36 percent of respondents revealed that only 1-10 percent of their supply chain is protected, a sharp indicator amid the rising tide of third-party breaches.”

Risk assessments are often completed using questionnaires, self-reported ones at that …

For those organizations that have the visibility into their wider supply chain, it’s likely that the data they get back makes for grim reading. 

Nearly two-thirds (62 percent) of security leaders said that less than half of their third and nth-party suppliers match their own organization’s security requirements. 

“At the very least, you would expect your third-party and nth-party vendors to match your company’s security protocols,” said SecurityScorecard. “But that’s simply not the case.”

The apathy from or inability of both customers and their suppliers to monitor supply chain security and meet security standards respectively, naturally leads to an unwelcome number of attacks.

71 percent of security leaders reported that their organization had experienced at least one incident which had a material impact on their business in the past year alone.

More than a third (37 percent) experienced three or more of these, and 5 percent suffered 10 or more attacks linked to external entities across their supply chain over the same period.

Supporting the vendor’s findings is Verizon’s data breach investigations report 2024, in which it noted there was a global 100 percent increase in third-party breaches across the year. These incidents comprised 30 percent of the total number of attacks in 2024, up from 15 percent the year before.

Visibility is one of the major issues affecting organizations’ susceptibility to supply chain attacks, but where there is a will to improve, there often is not a way.

The most common blockade to supply chain security is a data overload, the report noted. When the responsibility for managing supply chain security so often falls to the security operations center (SOC) team, which are generally known for being inundated with alerts on the best of days, it’s not a surprising finding that it continues to be a pain point for organizations.

What’s the solution?

Talk to most cybersecurity experts and you’ll hear them preach the value of cyber resilience. The NCSC certainly does, and has done for years. 

Cyber resilience generally refers to reaching a point where an organization can confidently and effectively detect, neutralize, and recover quickly from any kind of cyber attack. 

Ideally, the first two steps would prevent the third from being a requirement, but this is the real world.

While not so easy to achieve, ensuring your organization is doing the basics right can go some way in mitigating the adverse effects of a third-party security breach.

For SecurityScorecard, it said: “achieving true resilience requires a holistic supply chain cybersecurity strategy.” Its data suggested that most organizations aren’t taking all the necessary steps, or when they are, they’re not always being done as effectively as they could be.

For example, one aspect of a supply chain security strategy, and one that can resolve the visibility issues organizations face, is to carry out risk assessments on all supply chain members.

Over half of respondents (56 percent) take this step, although 36 percent say they experience difficulties in getting useful responses.

This is likely because risk assessments are often completed using questionnaires, self-reported ones at that, which invariably leads to biased and unverified conclusions.

The most common step to tackle supply chain risks is to take out a cyber insurance policy that specifically covers such events – 63 percent of all organizations have coverage for worst-case scenarios.

Most organizations also train their employees on cybersecurity awareness, and carry out continuous monitoring, but of all the other risk-reducing strategies only a minority of security leaders said they made use of them.

Only 38 percent of organizations have formal onboarding and offboarding processes when it comes to introducing or removing vendors from their environments, for example. A similarly low percentage speak with their vendors about their security issues to identify the root cause, and even fewer (26 percent) carry out joint tabletop exercises with them.

SecurityScorecard said: “The way most organizations manage supply chain cyber risk isn’t keeping pace with the expanding threats. Regaining a true sense of security means investing in not just identifying risk, but in responding to those risks in real time. 

“While traditional third-party risk management had its place, it’s time for leaders to move beyond prevention and toward resilience. The next wave of third-party cyber incidents won’t wait for better processes. 

“In an era of systemic threats, resilience can’t wait. It must be built now – from the inside out.” ®

Original Post URL: https://go.theregister.com/feed/www.theregister.com/2025/06/25/supply_chain_attacks_hammer_organizations/

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Marcos Jaimovich
Nuevo Firewall para IA , un Cacharro nuevo para nuestro SOC y los equipos de Ciberseguridad !
Nuevo Firewall para IA ,...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos