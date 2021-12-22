Supply chain attacks are an emerging cyber threat with the potential to greatly magnify the damage of a single security breach.

A supply chain attack, also known as a third-party attack, is when an attacker accesses a business's network via third-party vendors or suppliers.

Supply chain attacks target vendors and suppliers instead of directly targeting a specific business, making them more difficult to detect and prevent if vendors aren't maintaining strict cybersecurity policies and using the best tools.

Many businesses work with dozens of suppliers for everything from ingredients or production materials to outsource work and technology.

Over the past decade, vendors and hijacked updates accounted for 60 per cent of software supply chain attacks and disclosures, according to The Atlantic Council. The European Union Agency for Cybersecurity also predicted in a July 21, 2021 report that supply chain attacks would quadruple in 2021 over the number of 2020 attacks.

In the PricewaterhouseCoopers' (PwC) 2022 Global Digital Trust Insights Survey, most respondents seem to have trouble seeing their third-party risks — risks obscured by the complexities of their business partnerships and vendor/supplier networks.

Only 40 per cent of survey respondents indicated that they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments.

Nearly a quarter have little or no understanding at all of these risks — a major blind spot of which cyber attackers are well aware and willing to exploit, PwC said.

Larger companies in the supply chain could become vulnerable to attacks stemming from exploitation of smaller less secure businesses that do not see themselves as potential targets.

Among the respondents, 56 per cent expect an increase in reportable incidents in 2022 from attacks on the software supply chain, but only 34 per cent have formally assessed their enterprise's exposure to this risk.

Additionally, 57 per cent expect a jump in attacks on cloud services, but only 37 per cent profess an understanding of cloud risks based on formal assessments.

According to the report, fewer than half of all respondents — 30 to 46 per cent — indicated that they've responded to the escalating threats that complex business ecosystems pose.

Furthermore, when asked how they're minimising their third-party risks, they gave largely reactionary answers — auditing or verifying their suppliers' compliance (46 per cent), sharing information with third parties or helping them in some other way to improve their cyber stance (42 per cent), and addressing cost- or time-related challenges to cyber resilience (40 per cent).

“The ones that have responded seem to be focusing their efforts primarily on today, perhaps at the expense of tomorrow,” the report said.

“Only one top response — that they are refining criteria for onboarding and ongoing assessments (42 per cent) — could be considered proactive, offering benefits over the long term,” it continued, noting that publicly listed organisations (47 per cent) were significantly more likely to claim this step.

At the same time, more than half has still not taken actions that promise a more lasting impact on their third-party risk management — they've not refined their third-party criteria (58 per cent), not rewritten contracts (60 per cent), or increased the rigor of their due diligence (62 per cent).

Notwithstanding, organisations know that risks are increasing.

The survey also revealed that investments continue to pour into cybersecurity. Sixty-nine per cent of organisations predict a rise in cyber spending in 2022 compared to 55 per cent last year. While more than a quarter (26 per cent) predict cyber spending hikes of 10 per cent or more, only 8 per cent indicated that the previous year.

The 2022 Global Digital Trust Insights Survey draws upon the views of over 3,000 business, technology, and security executives across a range of industries from various regions.