Developer in cloud-delivered endpoint technology, CrowdStrike, announced the results of its global supply chain survey, Securing the Supply Chain. The study surveyed 1,300 senior IT decision-makers and IT security professionals in the US, Canada, UK, Mexico, Australia, Germany, Japan and Singapore across industry sectors.
The survey found that 80 percent of respondents believe software supply chain attacks have the potential to become one of the biggest cyber threats over the next coming years, however, limited organizations are prepared to mitigate the risks.
Two-thirds of those surveyed had experienced a software supply chain attack within the last year, and 71 percent believes that their organization does not hold external suppliers to the same security standards. On the other hand, 87 percent of those that suffered an attack had either a full strategy in place, or some level or response planned at the time of their attack. At least 90 percent of respondents confirmed that a software supply chain attack cost their organization a significant amount of money, averaging out at $1.1 million. The survey also found that only 37 percent of respondents in the US, UK and Singapore claimed their organization vetted all suppliers for the year and only a quarter believe their organization will increase its supply chain resilience in the future.
Supply chain threats can occur in every sector, however, the industries that experience attacks the most are biotechnology and pharmaceuticals, hospitality, entertainment and media and IT services. Following recent attacks on NetPetya and GDPR, organizations are now vetting their suppliers and partners more. According to the survey, 58 percent of senior IT decision-makers whose organization vetted software suppliers in the last year will now be more rigorous when evaluating their partners, and nearly 90 percent agree security is a critical factor when making purchasing decisions surrounding new suppliers.
The survey found that 90 percent of respondents believe they are at risk for an attack. Companies are slow to detect, remediate and respond to any threats they may receive. On average, respondents take close to 63 hours to detect and remediate a software supply chain attack, while the leading organizations aim to eject an adversary in less than two hours, according to CrowdStrike research.
“Fast-moving, advanced threats like supply chain attacks require organizations to adopt new best practices in proactive security and incident response. Our Services team has been called in to support many companies that have suffered business-critical consequences as a result of these prevalent threats,” says Shawn Henry, president of CrowdStrike Services and chief security officer. “The new attack methods we see today call for coordinated, efficient and agile defenses. CrowdStrike is supporting customers with a compelling combination of endpoint protection technology, expert services, and intelligence to uncover critical investigation information faster, accelerate incident response and enable companies to get back to business as quickly as possible.”