It is one thing to deal with attacks on a specific organization, but having to focus on assaults targeting the software supply chain is quite another.
That is because organizations are not prepared to respond to such incidents, according to a report by endpoint security firm CrowdStrike.
In supply chain attacks, malicious actors target software makers in an effort to modify their products so they perform malicious actions or provide a backdoor into the targeted environment.
The NotPetya attack, which involved a Ukrainian tax software firm, and the CCleaner incident, which involved hacking of distribution servers at Piriform, are some of the better known cases.
The report, conducted by Vanson Bourne and sponsored by CrowdStrike, surveyed 1,300 senior IT decision makers and security professionals in the U.S., Canada, Mexico, the U.K., Australia, Japan, Germany and Singapore in April and May.
The “Securing the Supply Chain“ report found about 33 percent of organizations are concerned about supply chain attacks, with 18 percent saying the risk is high and 38 percent saying it is moderate.
On top of that almost 66 percent of respondents said they experienced some form of supply chain attack. The biotechnology and pharmaceutical sector takes the lead with 82 percent of organizations encountering such an incident, including 45 percent hit in the last year. Other sectors more likely to encounter supply chain attacks include hospitality, entertainment and media (74 percent), IT and technology (74 percent), engineering (73 percent), healthcare (70 percent) and insurance (68 percent).
On average, organizations believe it would take them 10 hours to detect an incident, 13 hours to react, 15 hours to respond, and 25 hours to remediate it, which totals 63 hours, the report found.
Respondents that encountered a supply chain incident reported a financial impact averaging $1.1 million. The highest costs were reported by the hospitality, entertainment and media sector ($1.44 million) and the lowest in the government sector ($329,000).
Some companies have also paid a ransom to recover from a supply chain attack.
In addition to financial loss, organizations experienced various types of drawbacks following an attack, including the necessity to completely rebuild IT systems (36 percent), spend more on security (36 percent), and service/operations disruption (34 percent).
When it comes to response strategies, over one-third of respondents said they had a comprehensive strategy in place when they suffered an attack and more than half had some level of response pre-planned.
When it comes to suppliers, trust is important. The survey found 35 percent of respondents said they had been totally certain they would be informed of a cybersecurity incident by a supplier. On the other hand, 39 percent of those surveyed said they had lost trust in a supplier over the past year.
Less than a third of the organizations that took part in the survey vetted all suppliers in the past 12 months, and the high profile attacks that came to light last year made the vetting process more rigorous in 59 percent of cases. Executives have also started changing their attitude in regards to this threat, with 31 percent becoming more involved, 49 percent planning to become more involved, and 13 percent taking more of an interest.