A new survey from leading security firm CrowdStrike reveals deepening frustration with legacy IT vendors such as Microsoft, as supply chain attacks and ransomware attacks fed by vulnerabilities in their software become the “new normal” for organizations around the world.
The annual CrowdStrike Global Security Attitude Survey for 2021, the fourth of its kind thus far, surveyed 2,200 IT and security managers at medium-to-large businesses from a broad sampling of countries. 63% said they have lost trust in mainstream software vendors due to a seemingly interminable chain of exploited vulnerabilities and security incidents. This often stems from firsthand frustration, with 45% of these organizations reporting a supply chain attack in the past 12 months (a 40% increase from the responses collected in 2020).
Supply chain attacks leading factor in undermining confidence in software products
Accompanying this loss of trust is a feeling of losing ground in the overall battle against cyber threats, with organizations reporting that they are not doing as well in containing supply chain attacks and ransomware attacks within a necessary amount of time.
Cybersecurity news rarely makes it through to the mainstream media news cycle, unless it is some sort of unusually large and damaging event. Ransomware has become so out of control that some of the major attacks (such as Colonial Pipeline) have become topics of discussion for the average non-tech-savvy person, as they begin to see direct impacts on their lives. Supply chain attacks remain something that is a business issue, but a greater amount of businesses are having to account for them as high-level threat actors focus on compromising “upstream” service providers.
The survey finds that 84% of respondents are expecting supply chain attacks to be one of their biggest security challenges in the next three years, as major attacks on software providers like Kaseya and SolarWinds lead to the potential breach of tens of thousands of businesses at once via the pushing of malicious updates. In some cases, such as Kaseya, the vulnerability is one directly in the software of the software provider. In others, such as SolarWinds, the root of the problem with supply chain attacks is in the cloud-based services of a larger provider such as Microsoft. Either way, “big brand names” in the software and cloud services field are taking a pounding as they keep making the news for the wrong reasons.
77% say that their company has been hit with supply chain attacks at some point in its history, and 45% say that there has been at least one in the past 12 months. In spite of this, 64% of respondents say the organization is still not fully vetting its software suppliers.
Microsoft was the only provider mentioned by name in the report, something that may have to do with CrowdStrike being a direct competitor in certain product areas (which Microsoft hastened to point out in a response issued to the press). But it remains true that Microsoft has battled with a string of vulnerabilities in its cloud services in the past two years, and that these openings have been directly exploited as the starting point of numerous supply chain attacks.
Ransomware attacks more frequent, more damaging in 2021
Naturally, ransomware attacks also remain a serious concern among businesses. 66% of survey respondents said they experienced ransomware attacks in 2021, a 10% increase from the 2020 survey. The average payment is up 63% to $1.79 million in just a year’s time, but attackers are also showing a much greater propensity to “double dip” once they are paid; 96% of respondents who paid to settle their ransomware attacks said the hackers demanded at least one more payment, and that extra series of payments averaged about an additional $792,000 in added costs.
In spite of ransomware attacks being all over the news in 2021 and increasing substantially in damage, 57% of respondents said that their organization still has no real plan in place for defending against them. CrowdStrike includes some practical advice for addressing this in the report, suggesting the “1-10-60 rule” as a starting point for organizations still lost in coming to grips with the threat of ransomware attacks. This strategy is a general benchmark to plan around: effective security strategies should aim for 1 minute to detect threats, 10 minutes to clearly define them and 60 minutes to contain them and prevent further damage. CrowdStrike’s Falcon OverWatch security team says that it sees an average time of 92 minutes for threat actors to move laterally across networks from the time of initial breach. By contrast, average security response times are heading in the wrong direction: 165 hours to initial detection in 2021, up from 97 hours in 2020.
While they usually do not end up walking away with the full amount they ask for, the perpetrators of ransomware attacks feel confident enough now that they open with an average demand of $6 million. Given the state of the threat landscape, this is an indicator that average payments and damages could continue to rise in the coming years.