Attack vector costs companies 2.5% more in one year
Supply chain attacks are on the rise, costing companies more year after year as organizations fail to implement zero trust strategies.
This is according to IBM’s new Cost of a Data Breach report, which found that one in five breaches resulted from a business partner compromise, with a supply chain breach taking an average of 26 days longer to identify and contain than the global average.
The total cost of a supply chain compromise was $4.46 million – 2.5% higher than average.
The report also found that the global average cost of a data breach has reached an all-time high of $4.35 million — an increase of nearly 13% in the past two years.
“Seventeen percent of breaches in critical infrastructure organizations have occurred because a business partner was compromised in the first place – showing us that organizations need to pay more attention to the security controls that govern third-party access,” John Hendley, IBM’s chief of strategy Security X-Force told The daily sip.
No trust, no problems?
Critical infrastructure organizations such as financial services, industrial, transportation and healthcare companies are a growing target for these attacks, IBM says, and zero trust is the best way to protect against attacks.
“Organizations need to be more vigilant than ever, closely monitoring these remote access points to their environment, whether that be through direct network access, applications, or even physical access,” Hendly says.
“Supply chain attacks are a major concern, both because of how insidious they are and how extreme their impact can be. We saw this happen with SolarWinds and we will definitely see more of these attacks in the future.”
Get the latest on software supply chain attacks
The organizations that implemented a zero trust security approach saw breaches cost them less, with an average cost saving of $1.5 million.
However, critical infrastructure organizations in particular do not do this. Only one in five has adopted a zero trust model, compared to an overall global average of 41%.
Javvad Malik, lead attorney for security awareness at KnowBe4, says greater transparency is needed across the supply chain, along with greater technical assurance that all components are adequately secured.
“We have seen that many organizations have been violated, not for the organization itself, but because it will provide a path to another. Popular examples of this include Target, RSA, and more recently SolarWinds,” he told The daily sip.
“While many organizations try to mitigate risk by sending lengthy questionnaires to third parties they deal with to determine the level of security they use, it is often not enough to cover the entire supply chain, and even if it did, it’s not enough. provide technical security.”
YOU MAY ALSO LIKE THIS ‘We are still fighting the battle of the past decade’ – Sonatype CTO Brian Fox on the battle to secure the neglected software supply chain