Trust in Legacy IT Vendors Drops as Supply Chain Security Issues Increase

December 13, 2021 - More than half of surveyed organizations reported losing trust in legacy IT vendors, such as Microsoft, in light of recent cyberattacks that exposed severe supply chain security gaps, according to a recent report commissioned by CrowdStrike and conducted by research firm Vanson Bourne.

High-profile cyberattacks like Kaseya and Sunburst put supply chain security issues in the spotlight. Over three quarters of respondents said that their organization had suffered a supply chain attack at some point in the past. In healthcare, a lack of supply chain security can lead to patient safety issues, delays, and a lack of trust between organizations and third-party vendors.

Over 40 percent of respondents reported experiencing a supply chain attack in the last 12 months, compared to 32 percent in 2018. Additionally, over 80 percent of respondents reported believing that software supply chain attacks could become one of the biggest cyber threats within the next three years. 

“For cybercriminals, the beauty of software supply chain attacks is that while the initial objective of infiltrating a single company remains the same, their chances of impacting hundreds if not thousands of other businesses are significantly higher due to what their primary target specializes in,” the report stated.

“So, considering that non-software companies don’t have complete control when it comes to defending against software supply chain attacks, it’s essential that they have an action plan for responding to such a breach when it occurs.”

Almost six in ten respondents admitted that when their organization fell victim to a supply chain attack, they did not have a thorough cyber incident response plan. Healthcare organizations are required to implement an incident response plan under HIPAA.

However, research has shown that while many organizations have a plan, only a handful actively practice that plan and are prepared to respond to cyber threats.

The responsibility does not lie solely with the victims of cyberattacks. IT vendors that have a place in the supply chain also must implement adequate security measures to protect their clients and maintain trust.

“IT vendors must also shoulder some of the responsibility as they are the first line of defense against this form of cyberattack. This is particularly true of legacy vendors who are ingrained in the infrastructure of businesses worldwide – if changes are not made, then trust in these brands will begin to nosedive,” the report reasoned.

Researchers also found that more than half of respondents suffered at least one traditional ransomware attack in the last 12 months. The average ransomware payment in the US was $1.55 million, which increased by 63 percent compared to 2020. The average ransom demand from attackers was $6 million, the report explained, showing that cybercriminals are not getting the amounts they are asking for.

Almost a quarter of respondents ended up paying the ransom, and 96 percent of those who paid were also forced to pay additional extortion fees.

“These ‘double extortion’ fees alone would be a notable outlay, but on top of an already hefty ransom payment, it could be a devastating blow for many organizations, particularly during a period of economic uncertainty,” the report noted.

“Moving forward, it’s imperative that organizations better equip themselves to deal with a ransomware breach because increasingly it seems as though it is a question of ‘when’ rather than ‘if’ they will suffer at the hands of this highly persistent attack vector.”