Survey Sees Greater Appreciation of Software Supply Chain Risks
A survey of 1,000 organizations in North America, Europe, Asia-Pacific and Japan found potential attacks against software supply chains are now a bigger concern than attacks that exploit zero-day vulnerabilities or ransomware.
The survey, conducted by Enterprise Strategy Group (ESG) on behalf of Illumio, a provider of a platform for microsegmenting networks, found nearly half of respondents (48%) in the last 24 months were most personally concerned about a breach of their software supply chain. That compares to 46% that are concerned about attacks based on zero-day vulnerabilities and 44% that are concerned about ransomware. The survey allowed respondents to choose multiple responses.
Two-thirds of respondents (66%) said they have experienced at least one attack against their software supply chain in the last 24 months. More than three quarters (76%) have also seen at least one ransomware attack during the same period. More than a third said a ransomware attack resulted in data being held hostage, with 82% of those organizations ultimately paying a ransom that averaged $495,000.
Despite the number of attacks being launched against them, however, less than half of respondents (47%) are not operating under the assumption they will be breached. A full 43% admitted that they typically suffered unplanned downtime of a business-critical application at least once a month. The cost of that unplanned downtime, on average, was $251,000. Nearly half of respondents (47%) also noted IT projects were delayed because of the need to devote resources to responding to attacks.
In terms of ensuring security, a full 46% of respondents identified zero-trust network access as being critical, followed by 43% that cited data classification and security and 40% that cited either incident investigation and response or continuous monitoring. Less than a quarter of the respondents (24%), however, said their organization was progressing toward zero-trust segmentation of their network.
Illumio CTO PJ Kirner said the survey makes it clear there is still too much overconfidence when it comes to cybersecurity. Cybersecurity and application development teams especially need to work together to limit the blast radius of any breach. Segmentation of networks will play a critical role in enabling organizations to achieve their zero-trust goals, he added.
Segmentation of networks is, of course, not a new idea. However, it’s not possible to segment networks at a much more granular level. The challenge is that a lot of organizations lack the skills and resources required to effectively implement a network segmentation strategy. Such a strategy would prevent malware from moving laterally across a distributed computing environment by relying on more than a firewall to isolate virtual networks.
In the meantime, the zero-trust challenge most organizations are struggling with centers around the fact that they need to master multiple technologies to achieve that goal. That means incurring additional costs in terms of both acquiring new platforms and training IT professionals on how to implement and manage them. As a result, the transition to zero-trust IT is much more likely to be an extended journey rather than a single event that instantly addresses all the cybersecurity risks imaginable.