English
Cyber risks concerning supply chains can take many forms, from ransomware and data theft to denial-of-service (DDoS) attacks and fraud. A 2022 report showed that 90% of managed service providers (MSPs) have experienced a cyber attack in the last 18 months. According to Phil Muncaster, an expert from the antivirus solutions provider Eset, "Supply chains represent the connecting network that facilitates global trade and prosperity. However, these networks of overlapping and interconnected companies are becoming increasingly complex and opaque. Most involve the use of software and digital services or at least depend to some extent on online interactions. And this exposes them to the risk of disruption and compromise (...) Cyber risks concerning the supply chain can take many forms, from ransomware and data theft to denial-of-service (DDoS) attacks and fraud. These can impact companies that provide professional services (e.g., lawyers, accountants) or those that supply business software. Attackers may also target managed service providers (MSPs) because compromising a single company in this way could grant access to a potentially large number of downstream corporate users. A 2022 report showed that 90% of MSPs have suffered a cyber attack in the last 18 months."
According to the cited source, one of the main types of cyber attacks on the supply chain involves compromising proprietary software. Thus, cybercriminals have managed to find a way to compromise software developers and introduce malware programs into the code that is subsequently delivered to customers. "This happened in the Kaseya ransomware campaign. In a more recent case, a popular file transfer software, MOVEit, was compromised, with attackers exploiting a "zero-day' vulnerability, and data was stolen from hundreds of corporate users, affecting millions of customers. Meanwhile, the compromise of the 3CX communications software remains in history as the first publicly documented incident where a supply chain attack led to another."
Additionally, attacks on open-source supply chains have been recorded (with a 633% year-over-year increase, according to a specialized report), sophisticated attacks known as Business Email Compromise (BEC), as well as credential theft, where attackers steal provider login credentials in an attempt to penetrate either their network or that of their clients, as was the case in the massive breach in 2013 when hackers stole information from one of the HVAC (heating, ventilation, and air conditioning) providers of the retailer Target. Regarding managing these risks, cybersecurity experts recommend: pre-screening any new vendor, using software composition analysis (SCA) tools to gain visibility into software components, along with continuous scanning for vulnerabilities and malware programs and promptly correcting any errors, periodically authorizing and updating the list of vendors, establishing an official vendor policy, developing an incident response plan, implementing industry standards such as ISO 27001 and ISO 28000. Official statistics reveal that last year in the US, there were 40% more supply chain attacks than malware-based attacks. These led to breaches affecting over ten million individuals.
Euro
Dolar SUA
Franc elveţian
Liră sterlină
Gram de aur
