Cyber attacks on supply chains are on the rise with no signs of stopping, warns the European Union Agency for Cybersecurity (ENISA) in a report
Strong security protection is “no longer enough” it said and added that cybersecurity incidents are expected to increase four-fold this year compared to 2020.
The report, Threat landscape for supply chain attacks, examined infiltrations over the past 12 months and found that in 66% of cases attackers had targeted a supplier’s system code, while 20% targeted data, and 12% had focused on internal processes.
While malware was the most common method used, accounting for 62% of incidents, two-thirds of attacks on customers took advantage of trust in their suppliers.
It said a common mistake is trusting that prompts to allow automatic software updates and system backups are from genuine suppliers. But it also argued that accepting policies and system certificates are in place without performing checks would introduce vulnerabilities.
This, it said, highlights the need for businesses to take greater action such as validating third-party code and software to ensure they have not been tampered with or manipulated.
When it came to sharing information, in 66% of incidents suppliers did not know or were not prepared to disclose how their systems had been compromised, while 9% of customers had no knowledge of how they had been compromised.
Cyberattacks on supply chains are becoming increasingly common as they enable criminals to target larger numbers of customers at once, resulting in a more “widely propagated impact”.
As a result, the ENISA is calling for coordinated action to be taken at EU-level to tackle the issue.
“Due to the cascading effect of supply chain attacks, threat actors can cause widespread damage affecting businesses and their customers all at once, ” said Juhan Lepassaar, executive director at the EU Agency for Cybersecurity.
These “far-reaching consequences" may be due to "increased interdependencies and complexities of the techniques used”, the report stated.
“Organisations need to update their cybersecurity methodology with supply chain attacks in mind and to incorporate all their suppliers in their protection and security verification.”
It also recommended companies establish strict cybersecurity practices and ensure their manufacturing infrastructure and delivery products adhere to these, and advised companies to monitor security vulnerabilities and maintain inventories of cyber assets.