An exponential increase in supply-chain attacks

The threat of supply chain attacks is on the increase according to recent Europe-wide research that analysed dozens of recent breaches. The report comes from the European Union Agency for Cybersecurity (ENISA) which concludes that even strong security defences are not always enough to mitigate the risk entirely.

The ENISA reported that between January 2020 and July 2021, 24 publicly known supply chain compromises were identified. Just over 30% of these attacks took place in 2020 but two thirds occurred in the first 6 months of 2021, showing a marked increase in frequency. These figures should act as a call to action in adopting a Defence-in-Depth approach to mitigate the risk of attack. Indeed, governments are now starting to dedicate more time and resource towards the global threat.

Recent high-profile cases included Jefit, a home workout app that was the victim of a substantial data breach in late 2020. This was caused by a security bug exploited by threat actors who then stole the data.

The ENISA report also outlined the risk of Advanced Persistent Threat groups (APTs) and the Tactics, Techniques, and Procedures (TTPs) that are commonly adopted in attacks. Mapping these TTPs to a recognised framework is a standardised approach that can help plan and evaluate cyber security defences. Raising awareness of favoured frameworks such as Mitre Att&ck alongside favoured TTPs can help organisations identify potential risks and implement security defences.

For the rest of 2021, it is inevitable that threat actors will continue to identify opportunities to attack supply-chains due to their ability to impact customers globally, by targeting one specific supplier. Supply-chain compromises remain attractive as they offer high rewards for lower effort.

It’s important to maintain a strong, defensive security stance and all organisations should be encouraged to review risk criteria for different suppliers and service providers. By addressing customer dependencies, critical software dependencies and single points of failure you are taking a crucial step towards reducing the risk of data exfiltration if targeted by a supply-chain attack.

For further information and guidance contact us at: