Complex company structures predestined for supply chain attacks! Current study confirms secion blog article from May.
by Svenja Koch
In its May 2021 blog article, secion pointed out the vulnerability of companies due to increasingly complex supply chains. While corporate IT security is becoming more and more powerful, cybercriminals are using open backdoors to launch supply chain attacks that are quite a feat. Last May, cyberattacks such as SolarWinds and Passwordstate came to the public's attention. A new study now shows that supply chain security has not changed much for the better. The supply chain remains a "blind spot" regarding potential risks threatening a company.
Complexity and lack of clarity: the study clearly shows inadequate supply chain security
The auditing and consulting firm PricewaterhouseCoopers (PwC) recently published a study on cyber security. The study surveyed a total of 3602 security, technology, and business executives on IT security trends in July and August 2021. Thirty-three percent of the companies surveyed are based in Western Europe, 26 percent in North America, and 18 percent in the Asia Pacific. Other companies surveyed were from Eastern Europe, the Middle East, Africa, and Latin America. Perhaps the study's most striking finding is that an overwhelming proportion, an even 82 percent, of executives surveyed say that the complexity of modern digital operating environments is now too high. For the respondents, complexity is the main reason companies cannot protect themselves optimally against cyberattacks. In particular, cloud solutions, which are currently growing significantly in the wake of the IoT, represent a lack of clarity for the executives surveyed regarding effective cybersecurity. The increasing complexity has very concrete consequences for the companies surveyed. For half of the respondents, complexity is "to blame" for lack of resilience, financial losses, and inability to innovate. However, 72 percent of all executives surveyed also said they had been able to simplify complexity within their business environment in the past two years by adapting technology or cutting it outright. The problem of inadequate cybersecurity must therefore lie outside the corporate structure, which brings us back to the issue of supply chain attacks.
The supply chain attack: still an unrecognized threat
In the PwC study, it is noticeable that supply chain security still has major gaps. In Germany, a worrying 32 percent have little or no understanding of the risks posed by supply chain attacks. According to the study, the level of knowledge is similarly low when working with cloud service providers, subcontractors, and IoT technology providers. Another of the study's findings can gauge the dismal success of supply chain attacks: Around 60% of the executives surveyed have not taken any measures in their companies that promise to have a lasting impact in the area of third-party risk management. What does this mean in plain language? More than half of the companies do not conduct rigorous supplier selection, rewrite contracts, and refine supplier selection.
Supply chain security: this is the status in 2021
PwC's study had asked whether and what measures companies have taken in the past 12 months to minimize risks from supply chain attacks.
- 39% are providing support or knowledge sharing to third-party vendors to help improve their cybersecurity
- 38% reviewed or verified the security posture and compliance of third-party vendors and suppliers along the supply chain
- 38% developed refined criteria for onboarding and ongoing assessments of third-party vendors
- 35% were able to overcome time- or cost-related challenges that affected the company's cyber resilience
- 33% established contracts to mitigate their risks in working with third-party vendors
- 28% even terminated their business relationships with certain third-party vendors
It can be concluded: at least one-third of the companies have become aware of the danger posed by supply chain attacks. However - and the study also shows this - not all companies are aware of the seriousness of the security situation. Four percent of the companies surveyed stated that they had not taken any measures to counter a supply chain attack in the past 12 months.
German CEOs do not focus on proactive cybersecurity
In the study, PwC wanted to know what influence a CEO has on cybersecurity in the company - and thus also directly on supply chain security. The executives surveyed said their CEOs become personally involved primarily when reporting on cyber attacks for regulators or after an attack on their own company. The study characterized the position of German CEOs as "surprising" in this regard. In an international comparison, German CEOs take a much more reactive part than their counterparts from other countries. In an international comparison, German CEOs are conspicuously less concerned with proactive cybersecurity measures. On the general question of the cyber mission, however, there is cross-national agreement. CEOs see it as their duty to create trust about the use and protection of data vis-à-vis their customers. Better control mechanisms to protect against cyberattacks, rapid response to attacks, and efficient crisis management - CEOs certainly recognize the three pillars of cyber security - protection, trust, and resilience. And in doing so, they are setting the direction for the entire enterprise.
So how should supply chain attacks be addressed in 2022?
More relevant than data from the past is the question of how supply chain attacks will be dealt with in the future - and what space companies want to give to supply chain security. Here, too, the PwC study provides interesting data. One thing is sure: cyber security investment will increase significantly in 2022. More than half of the German companies surveyed, 56%, expect a significant increase in spending on cyber security in the coming year. Germany also plays a unique role in the question of budget increases in the coming year. Here, the percentage of companies expecting a budget increase of more than 10 percent has risen particularly sharply in an international comparison. Whereas in 2020, 5% of the companies surveyed expected a budget increase, by 2021, this figure had already risen to 19%! But what exactly do executives expect in the area of cyberattacks in the coming year?
Mobile, cloud, IoT: Executives expect these threats in 2022
More than half of the German executives surveyed expect cyberattacks to increase in 2022.
In particular, those surveyed see the cloud, IoT, and mobile data use as critical in terms of cyberattacks:
- 36% think attacks on cloud services will increase
- 36% see significant increases in ransomware attacks
- 33% see increasing threats from crypto mining
- 36% fear an increase in malware entering organizations via software updates
- 36% fear an increase in supply chain attacks involving software supply chains
- 34% fear more supply chain attacks on the hardware supply chain
PwC also asked companies about the player's executives believe they will be responsible for the most significant cyber threats in 2022. Here, more than one-third named cybercriminals as the biggest threat, closely followed by hacktivists and nation-states. Likewise, a full third of respondents see third-party vendors or contractors as a threat to their cyber security.
Supply chain attack prevention rarely takes place based on data
In companies around the world, complete data governance programs are rare. Only about one-third of companies have already integrated such a program to make sustainable decisions around cyber investments. As mentioned earlier, Germany has a particularly pronounced reactive approach to cybersecurity. Here, a mere 21 percent of companies rely on real-time threat intelligence and the quantification of cyber risks. Conversely, this means that 79% of German companies wait until a cyberattack occurs and only then react. This is undoubtedly not a recommendable approach in a world characterized by increasing digital complexity.
Supply chain attacks are challenging companies around the world. The quantity of supply chain attacks is increasing significantly, but the quality of attacks is also on the rise. However, the PwC study makes it clear that supply chain security was still, at best, a niche topic in executive suites in 2021. Suppose with a lot of goodwill, one-third of all companies worldwide are actively combating supply chain attacks. In that case, this means, conversely, that two-thirds do not take supply chain security seriously - or do not recognize its relevance. The complexity of digital business structures is increasing. Cloud services, suppliers, the IoT: everything is becoming more digital, connected, and complex. Companies that continue to rely on reactive security measures focused solely on their own business will find themselves even more in the crosshairs of cybercriminals in the future. Supply chain attacks are a proactive approach that holds suppliers and vendors just as accountable as the company itself.