Supply chain cyber attacks expected to quadruple by end 2021

According to the European Union Agency for Cybersecurity (ENISA), supply chain attacks are projected to quadruple by the end of 2021 as compared to last year. Based on the research, ENISA observed that the attacks are increasing in numbers and sophistication. 66% of the supply chain attacks also focus on the supplier’s code, and strong security protection alone is no longer enough for organisations.

“Traditionally, cybersecurity incidents have involved direct attacks between malicious actors and their victims. The Threat Landscape for Supply Chain Attacks report highlights an important shift in cybercriminals’ tactics – indirectly targeting their victims through the software of their trusted third-party suppliers and service providers.

With businesses becoming increasingly reliant on complex software supply chains, this is an important trend to follow, and one that should be factored into any cyber-risk management plans. The importance of this is underscored in the report which found that 2/3 of the software suppliers were unaware that they’d been compromised.

Considering the importance of application security practices in most software companies, this lack of awareness points to a gap in process. A gap where threat models likely need revising to account for how software supply chains work and one where an objective review of security initiatives such as the taxonomy maintained by the BSIMM community,” says Tim Mackey, Principal Security Strategist, at Synopsys Cybersecurity Research Centre (CyRC.).
CT Bureau