Security
Headlines
HeadlinesLatestCVEs

Headline

One in five data breaches due to software supply chain compromise, IBM report warns

Attack vector cost businesses 2.5% more in one year

PortSwigger
#ibm

Attack vector cost businesses 2.5% more in one year

Supply chain attacks on the rise, costing businesses more year on year as organizations failing to implement zero trust strategies.

This is according to IBM’s new Cost of a Data Breach report, which found that one in five breaches occurred because of a compromise at a business partner, with a supply chain breach taking on average 26 days longer to identify and contain than the global average.

The total cost of a supply chain compromise was $4.46 million – 2.5% higher than average.

The report also found that the global average cost of a data breach has hit an all-time high of $4.35 million – up nearly 13% over the last two years.

“Seventeen per cent of breaches in critical infrastructure organizations occurred due to a business partner being initially compromised – this shows us that organizations need to put more focus on the security controls that govern third party access,” John Hendley, head of strategy at IBM Security X-Force told The Daily Swig.

Zero trust, zero problems?

Critical infrastructure organizations such as financial services, industrial, transportation, and healthcare companies are a growing target for these attacks, says IBM, and zero trust is the best way to guard against attack.

“Organizations need to be more vigilant than ever and closely scrutinize these external points of access into their environment, whether that’s through direct network access, applications, or even physical access,” says Hendly.

“Supply chain attacks are of great concern, both because of how insidious they are and how extreme their impacts can be. We saw this play out with SolarWinds, and we’ll surely see more of these attacks in the future.”

Read more of the latest news about software supply chain attacks

Those organizations that had implemented a zero trust security approach saw breaches cost them less, with an average cost saving of $1.5 million.

However, critical infrastructure organizations in particular are failing to do this, with only one in five having adopted a zero trust model, compared with an overall global average of 41%.

Javvad Malik, lead security awareness advocate at KnowBe4, says that greater transparency is needed across the supply chain, along with greater technical assurance that all components are adequately secured.

“We’ve seen many organizations breached, not for the organization itself, but because it will provide a way into another. Popular examples of these include Target, RSA, and more recently SolarWinds,” he told The Daily Swig.

“While many organisations try to mitigate risks by sending out lengthy questionnaires to third parties it deals with to determine the level of security they employ, it is often not sufficient to cover the entire supply chain, and even if it was, it doesn’t provide technical assurance.”

YOU MAY ALSO LIKE ‘We’re still fighting last decade’s battle’ – Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig