Software supply chain cyber-attacks – are firms doing enough?

While procurement professionals focus on their core functions, from strategic sourcing and category management to…...

Start reading

While procurement professionals focus on their core functions, from strategic sourcing and category management to opportunity assessment, they may be taking their eye off more dangerous threats. This is especially so for the fast-growing risk posed by cyber-attacks on software supply chains.

A new report from the US National Counterintelligence and Security Center (NCSC) warns that the risk of cyber-attacks on software supply chains is escalating. While there were only four major attacks between 2014 and 2016, there were seven incidents in 2017 alone. The report notes, “software supply chain infiltration already threatens the critical infrastructure sector and is poised to threaten other sectors.”

Supply chains have grown vastly more complex in recent years, and companies routinely share their data with large numbers of suppliers. According to the NSCS, that very necessity exposes them to heightened risks of a cyber-attack.

Hackers who corrupted CCleaner with malware gained access to major multibillion-dollar firms, including Sony, Samsung and Intel, while the NotPetya cyber-attack syphoned $300m each from Maersk and FedEx. Hundreds of businesses from multiple industries were disrupted by corrupted NetSarang software. All of these attacks happened in 2017.

In the NTSC survey of IT security professionals and senior decision makers, 56% of respondents admitted that their organisation was at moderate to high risk of supply chain cyber-attack.

On top of this, 80% acknowledged that, in the coming three years, software supply chain breaches “have the potential to become one of the biggest cyber threats to organizations,” while a worrying 62% reported that their executive leadership remained unaware of the risk of the huge disruptions and losses such attacks present.

Procurement professionals may have some urgent work to do with IT security colleagues: only 28% of the businesses polled checked their supplier’s relationship with their suppliers.

However, awareness of the risks does seem to be rising after the NotPetya and WannaCry cyber-attacks. 31% of those polled said that their company’s board had become more involved in cyber-security following these crimes, with 44% reporting plans to deploy AI in their IT security solutions over the coming year.

Ed Cross

Ed founded Odesma in 2014 with the explicit intent of creating a new kind of procurement consultancy founded entirely on cloud principles. Deploying best-of-breed subject matter experts alongside the best on demand technology to deliver rapid and effective change for customers.

More from this category

More from this category

Share This