- A majority of healthcare industry respondents think their organization’s leadership may lack awareness of healthcare supply chain risk, according to a survey by Vanson Bourne on behalf of endpoint security firm CrowdStrike.
A full 84 percent of healthcare respondents believe software supply chain attacks have the potential to become one of the biggest cyber threats to their industry.
Out of the 70 percent of healthcare industry respondents who have experienced a software supply chain attack, 32 percent experienced one within the last 12 months.
The average cost of a supply chain attack on the healthcare industry is more than $884,000.
For the survey, Vanson Bourne polled 1,300 IT decision makers and security professionals across industries in the United States, Canada, United Kingdom, Mexico, Australia, Germany, Japan, and Singapore.
Across industries, nearly 80 percent of respondents believe software supply chain attacks have the potential to become one of the biggest cyber threats over the next three years.
Two-thirds of the surveyed organizations experienced a software supply chain attack in the past 12 months. At the same time, 71 percent said they believe their organizations do not always hold external suppliers to the same security standards.
Around 87 percent of organizations that suffered a software supply chain attack had either a full strategy in place or some level of response pre-planned at the time of their attack.
Only 37 percent of respondents in the United States, United Kingdom, and Singapore said their organization has vetted all suppliers in the past 12 months, and only a quarter believe with certainty their organization will increase its supply chain resilience in the future.
A full 90 percent of respondents confirmed they incurred a financial cost because of experiencing a software supply chain attack. The average cost of an attack was over $1.1 million.
The industries that experience supply chain attacks the most are biotechnology and pharmaceuticals, hospitality, entertainment and media, and IT services.
Fifty-eight percent of senior IT decision-makers whose organization has vetted software suppliers in the past 12 months stated that they will be more rigorous when evaluating their security partners, and nearly 90 percent agreed security is a critical factor when making purchasing decisions about new suppliers.
Although almost 90 percent of the respondents believe they are at risk for a supply chain attack, companies are still slow to detect, remediate, and respond to threats.
The survey found that on average, it takes respondents 10 hours to detect an attack, 13 hours to react to it, and 15 hours to respond. In all, this means it requires a total of 63 hours to return the environments to the state they were in before the attack.
Proactive organizations aim to eject an adversary in less than two hours, also known as “breakout time.”
Breakout time is the time it takes for an intruder to begin moving laterally, outside of the initial beachhead they have established, to other systems in the network. The average breakout time is 1 hour and 58 minutes, which is a tight window during which an organization can prevent an incident from turning into a breach.
The study indicated that organizations are looking to adopt new approaches to breach protection such as behavioral analytics, endpoint detection and response, and threat intelligence, with three quarters of respondents using or evaluating these technologies.
“It’s clear that supply chain attacks are becoming a business-critical issue, impacting topline relationships with partners and suppliers but organizations largely lack the knowledge, tools, and technology to be protected,” said CrowdStrike Vice President of Product Marketing Dan Larson.
“Knowledge gaps and the lack of established standards to prevent complex supply chain attacks are putting organizations at risk from a financial, reputational, and operational perspective. Organizations need effective prevention, detection and response technologies to mitigate these growing risks, and we are encouraged to see the uptick in interest to adopt next-generation endpoint security technologies,” Larson said.