ENISA research forecasts spike in supply chain attacks

Conventional cyber security safeguards are no longer enough to protect organisations from malicious actors in lieu of an expected bump in supply chain breaches, according to new ENISA research.

A new report from the European Union Agency for Cybersecurity (ENISA) — Threat Landscape for Supply Chain Attacks — has flagged an expected surge in supply chain cyber attacks in the coming month.

The research, which involved an analysis of 24 recent attacks, found that conventional security protections are no longer sufficient, with cyber criminals increasingly shifting their attention to suppliers.

ENISA is anticipating a four-fold increase in supply chain attacks year-on-year.

As such, the agency has urged policymakers and the broader cyber security community to employ new strategies aimed at preventing and responding to potential breaches.

“Due to the cascading effect of supply chain attacks, threat actors can cause widespread damage affecting businesses and their customers all at once,” Juhan Lepassaar, EU Agency for Cybersecurity executive director, said.

“With good practices and co-ordinated actions at EU level, member states will be able to reach a similar level of capabilities raising the common level of cyber security in the EU.”

The research revealed that attackers focused on the suppliers’ code in approximately 66 per cent of reported incidents, highlighting the need for validation of third-party code and software.

Roughly 58 per cent of the supply chain incidents analysed involved attempts to access customer data, including Personally Identifiable Information (PII) data and intellectual property.

VIEW ALL

Alarmingly, 66 per cent of affected suppliers were unaware or failed to report breaches.

Recommendations outlined by ENISA for customers include:

identifying and documenting suppliers and service providers;
defining risk criteria for different types of suppliers and services such as supplier & customer dependencies, critical software dependencies, single points of failure;
monitoring of supply chain risks and threats;
managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components; and
classifying of assets and information shared with or accessible to suppliers, and defining relevant procedures for accessing and handling them.

Meanwhile, suppliers have been encouraged to:

ensure that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cyber security practices;
implement a product development, maintenance and support process that is consistent with commonly accepted product development processes;
monitor of security vulnerabilities reported by internal and external sources that includes used third-party components; and
maintain an inventory of assets that includes patch-relevant information.

Charbel Kadib

News Editor – Defence and Security, Momentum Media

Prior to joining the defence and aerospace team in 2020, Charbel was news editor of The Adviser and Mortgage Business, where he covered developments in the banking and financial services sector for three years. Charbel has a keen interest in geopolitics and international relations, graduating from the University of Notre Dame with a double major in politics and journalism. Charbel has also completed internships with The Australian Department of Communications and the Arts and public relations agency Fifty Acres

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it

newsletter

Be the first to hear the latest developments in the cyber industry.

ENISA research forecasts spike in supply chain attacks

Charbel Kadib

Introducing Cyber Daily, the new name for Cyber Security Connect

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED