CFOs need to know: Supply chain statistics

Niek has worked at Eftsure for several years and has developed a clear understanding of the cyber threat landscape and the controls Australian businesses put in place to combat these threats.

Why attack a company’s well-guarded system when it’s easier to target one of its suppliers, who may be less protected? Supply chain attacks work when hackers gain access to their target through a vendor’s compromised credentials or infected systems.

These notorious attacks can occur to a business and create a chain reaction potentially affecting the suppliers and customers. Not only are attackers becoming more sophisticated with their attacks but they are improving each attack with better, smarter methods like brute-force attacks or impersonation of an executive.

Businesses must stay vigilant. The supply chain statistics highlight the potential fraud risk to many organisations and how it can affect Accounts Payable teams.

Author’s Top Picks

  • In Q1 2021 alone, supply chain attacks rose 42% in the U.S. Couple that with a 10% increase in the average cost of a data breach.
  • 60% of supply chain workers are not watching third-party vendors for ongoing risks.
  • Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year.
  • Stuxnet was first observed in 2010 and it infected Security Control and Data Access systems (SCADA). All in all, the worm affected 200,000 computers and led to the degradation of industrial control systems.
  • SolarWinds has reported expenses of $3.5 million from last year's supply-chain attack, including costs related to incident investigation and remediation.

Supply chain attack statistics

1. In our 2010 survey of 639 executives covering a range of regions and industries, 71% said their companies were more at risk from supply-chain disruption than previously, and 72% expected those risks to continue to rise.

Numerous companies in a variety of industries over the last decade have had their reputations threatened and finances imperilled by problems within their supply chains. Most of the attacks appear to happen due to a lack of robust processes to identify and successfully manage growing supply-chain risks.

2. 55% of organisations feel that suppliers’ insolvency is one of the leading financial risks originating from the supply chain.

Supplier insolvency occurs when a business cannot afford to pay its outstanding debts when they are due. Controlling and keeping tabs on the hidden risk factors and financial health of every supplier in complex supply chains that extend across international borders can be difficult. They are not only hard to predict but difficult to detect.

3. Data security in the supply chain is a major concern for more than 45% of cyber security planners.

Data security in supply chains is more of a concern now than ever before because of data breaches happening all the time. As a result, supply chain risk should be a priority for all businesses. Businesses must implement layers of security to mitigate the risk of being frauded or scammed.

4. Supply chain attacks have increased by 78%.

Based on reports from Symantec, the number of supply chain attacks increased in 2018 by 78%. Hacking is also increasingly utilised to break into networks and spread false information. One way is through phishing emails or Business Email Compromise that consists of an executive impersonation.

5. In Q1 2021 alone, supply chain attacks rose 42% in the U.S. Couple that with a 10% increase in the average cost of a data breach.

Unlike phishing emails, other types of supply chain attacks can happen, like ERP unapproved access and backdoor access through open source or software. These are heavily relied on by accounts payable teams for several purposes, like working and running daily tasks.

6. 60% of supply chain workers are not watching third-party vendors for ongoing risks.

Employees involved in the supply chain often overlook third party vendors for ongoing cyber risks. According to the European Union Agency report, 66% of supply chain attacks target suppliers, 62% exploit the trust of customers and more than half of software supply chain attacks use malware to exploit businesses.

7. A staggering 66% of supply chain cyber attacks exploited trust in suppliers’ security. If payment data gets compromised, the information about those organisations’ customers is also at risk.

Organisations need to be aware of every third party they come into contact with in the supply chain including contracted maintenance companies and suppliers. Any individual with access to the business’s network or interaction throughout the supply chain could be a risk. For example, insider threats can pose a bigger risk to a business than an external attack.

8. The study, which surveyed 1,400 cyber security decision makers, found that 36% said that they are more responsible for preventing, detecting and resolving supply chain attacks than their suppliers.

Many businesses depend on Information Technology teams and cyber security professionals to protect them from fraud. CFOs should view cyber security as a fundamental and important function. Not only are they vulnerable to the direct financial loss of their own funds, but they also run the risk of loss of the suppliers they do business with.

9. Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year.

Strong security is no longer enough to protect organisations when they are facing attacks by suppliers. Attacks by these people go overlooked, making it difficult to notice. These attacks are usually planned for months by attackers who explore multiple ways to infiltrate organisations by targeting their suppliers.

10. According to IBM’s 2020 Cost of a Data Breach report, weakness in third-party software are the root cause of 16% of all breaches.

Most accounts payable teams expect software vendors to be secure and do not test them for liabilities down the digital supply chain. Security research finds that 32% failed to re-assess their vendors regularly or onboard new vendors. CFOs must work together with supply chain managers to prioritise their security and the security of their supply chain.

Top supply chain attacks statistics

11. In fact, this fall, security vendor Immuniweb reported that 97% of the world's top 400 cyber security companies had data leaks or other security incidents exposed on the dark web – and 91 companies had exploitable website security threats.

Once an attack surfaces, such as a data breach, stolen data is still being used after the attack. The sensitive data can be later used to penetrate other third party suppliers or sold on the dark web. If a new vendor is onboarded, it might mean that a new attack is underway.

12. Stuxnet was first observed in 2010 and it infected Security Control and Data Access systems (SCADA). All in all, the worm affected 200,000 computers and led to the degradation of industrial control systems.

Stuxnet is a computer worm that first appeared in 2010. This malware has been in development since 2005. The initial objective of the planned Stuxnet attack was to quietly sabotage the computer security firm. Before long, over 100,000 computers were infected with malicious files and many important industrial control systems had degraded in real time.

13. The 2017 Equifax breach is blamed on a flaw in the externally managed software that the company relied on. The Equifax breach compromised data belonging to 145,000,000 Americans.

The data breach of Equifax compromised 147.9 million American personal records, as well as 15.2 million British citizens. The breach was executed using a flaw in the externally managed software that the company depended on. Sad to say, the business and the executives were accused in the aftermath.

14. The SolarWinds attack impacted as many as 18,000 clients. The fact that certain software updates are often exempt from routine security screenings contributed to the widespread nature of this breach.

SolarWinds was one of the most damaging supply chain attacks that people have seen. Attackers compromise widely used software at the source, in turn giving them the ability to infect anyone who uses it. More than 18,000 organisations were affected, and officials at the US Government classified it as one of the worst data breaches to hit the US government according to CNN.

15. In the Mimecast attack, hackers were able to compromise a security certificate that authenticates Mimecast's services on Microsoft 365 Exchange Web Services.

2021’s largest ransomware attack to date was the Mimecast incident. Mimecast issued certificates for authentication with Microsoft 365 Exchange Web Services that were compromised by a sophisticated threat actor. Approximately 10% of Mimecast customers have to use the affected connections.

16. The attack on ASUS, according to Symantec researchers, took advantage of an update feature and impacted as many as 500,000 systems.

ASUS’s 2018 software update has been hijacked by hackers who had programmed a form of backdoor which could affect up to 500,000 computer networks. A form of supply chain attack that occurs frequently is hijacking software updates.

The cost of supply chain attack statistics

17. The average cost of data breaches in 2020 was USD 3.86 million and the average time to identify and contain a reach was 280 days.

The average cost of a data breach, according to IBM and the Ponemon Institute, is around USD 3.86 million. For companies that were targeted by a supply chain attack, the cost can be heavy because the attack may lead to fewer recovered funds.

18. The average cost per data breach in the healthcare and finance industries is USD 7.13 million and USD 5.56 million respectively.

Healthcare and financial industries are sectors that cyber criminals heavily target for supply chain attacks. The malicious malware often deployed in these attacks is well hidden, often being deployed to hundreds of organisations. Third-party vendors who install the software are setting it up to be easily compromised by hackers.

19. According to the paper, the average financial impact of a supply chain attack against an enterprise reached $1.4 million in 2021, making it the most expensive type of incident.

Security consultant Kaspersky tells us that each time there is a supply chain attack, it becomes more costly. Businesses can head off this by securing their digital assets through stronger endpoint protection that offers effective detection and response mechanisms.

SolarWinds incurred $3.5 million in expenses last year due to an attack on its supply chain. This includes investigating and fixing the situation, as well as future claims and additional investigations. SolarWinds Inc. doesn’t just suffer financial losses but lost productivity, data destruction, and damage to its reputation.

21. The Interos Annual Global Supply Chain Report, reveals that global supply chain disruptions cost large companies, on average, $184 million a year.

Out of 900 people surveyed, the vast majority (94%) said they’d been negatively impacted by supply chain disruptions. They blamed financial, cyber, environmental, social, and governance (ESG) transparency issues for the problems. For example, executives must consider all the risks involved with selecting third-party vendors and any technology that may be used when onboarding them.

22. REvil ransomware attacked over 1000 companies in MSP (Managed Service Provider) Supply chain Attack asking for $50 million.

REvil ransomware was a virus that spread after being discovered as a consequence of an MSP supply chain attack. Over 1000 businesses were targeted through the software supply chain attack. Once the victim’s data is stolen and they are unable to access it, the hackers have asked for $50 million.

23. A third party breach can cost an estimated $400,000 and is expected to rise.

Supply chain organisations can have a large number of external connections, often to critical infrastructure organisations. The prevailing mentality in supply chain attacks is hack one, breach many. Once a weakness is exposed to a business’s security system, it affects its supply chain, as well.

24. Attackers spoofed a vendor domain to trick non-profit employees into divulging sensitive data so that attackers could steal £1 million of rent money.

Domain-spoofing is a tactic commonly used by cyber criminals that involve impersonating businesses, providers, or suppliers to trick their targets into giving up large sums of money. One well-known example is a community housing non-profit that was defrauded for over 1.2 million dollars. Domain spoofing along with a business email compromise was able to successfully fraud the not-for-profit.

Software supply chain attack statistics

25. Dragonfly was an attack on legitimate vendor app stores by placing trojanized installers for control system software.

Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. One example is Operation Dragonfly, a cyber intelligence group that was created to sabotage or gain control of the systems of its victims.

26. Upstream attacks on open source ecosystem up 400% as criminals compromise apps at scale.

When an attacker makes an upstream attack, they may compromise an upstream system like an update for users downloading (downstream). For example, an attacker infects a server with a malicious update. Most users aren’t aware of upstream attacks or how severe they can be. All stakeholders must be informed about the risks involved in cyber security in the supply chain.

27. According to reports, an attacker gained access to Passwordstate’s update server and was able to decrypt all of the stored data.

Passwordstate, an Australian software house, operates a standalone web server that organisations use to store and share passwords much like a cloud-based system. Recently, they experienced a supply chain attack where the attacker gained access to Passwordstate’s update services.

One result of the recent software update is that anyone who updates their software during the attack will most likely have undetected malicious software installed. This affected enterprises that use software like banks, universities, consultants, government agencies, and defence contractors.

28. The SITA data breach is estimated to have exposed more than 580,000 records from Malaysia Airlines’ Frequent Flyer program.

One example of a destructive supply chain attack is the SITA data breach. Reports state that the Passenger Service System in the U.S. was stolen. This affected other airlines that had shared data with SITA such as Singapore Airlines.

The airline stated that 580,000 frequent-flyer program members were affected by the SITA breach. Sharing data alone was believed to show how the attack was able to spread across the entire supply chain.

29. NotPetya was a massive ransomware attack that infected a large network through poisoned email attacks

Keep in mind that a security incident like NotPetya is an important event that all CEOs and accounting departments should be aware of. Accounts payable teams using accounting programs have high supply chain risk.

NotPeyta involves an accounting program through the app’s auto update functionality to push malicious updates to the software users on three different occasions. As a result of these updates, they opened backdoors that made it easy for cyber criminals to remotely install the NotPetya malware.

30. The Kaseya ransomware incident encrypts the files of over 1,500 businesses.

On July 2, 2021, the managed service providers and their customers became victims of a ransomware attack called the Kaseya attack. They found a security breach in the Kaseya software, which enabled them to bypass authentication and run arbitrary commands. More than 1,500 small and medium sized businesses that rely on third-party IT contractors were impacted by the ransom attack.

Invoice fraud statistics

31. Research finds that small and medium sized businesses are more at risk of being targeted for invoice fraud. About 30% of these companies aren’t even aware of the risk.

There are several types of cyber attacks that can target supply chains, and invoice fraud is one of the most common. This type of attack usually involves criminals redirecting business payments to their own bank accounts. Impersonation is more aligned with an act of a business email hijacking, pretending to be an employee or vendor.

32. Scammers are also getting better at what they do, with total invoice fraud losses jumping by 180% in the same period.

Data collected by the ACCC suggests that businesses lost more than $128 million last year to scams of all sorts – close to $2.5 million each week. Invoice fraud may include fraudsters changing bank account details, sending forged supplier invoices, and intercepting and altering legitimate invoices.

33. According to MineralTree, 68% of executives reported that they had received a fake invoice or experienced an attempted form of payment fraud – that's 2 out of 3 executives.

Some fraudulent invoices carry malicious code, including viruses that can negatively affect the performance of a business’s finances, data storage, and future profit-making.

34. 43% of businesses are unaware of the existence of invoice fraud.

To go from invoice to being paid, the invoice can undergo several phases. But invoices can be edited in transit to avoid detection. Scammers use techniques such as faked invoices and imitating them through callback confirmations. Any errors in this process can result in a fraudulent payment.

35. In February 2020, Shark Tank’s Barbara Corcoran nearly lost close to US$400,000 to a BEC supplier invoicing attack.

Unlawful Business Email Compromise scammers will either send a fraudulent invoice, pretending to be legitimate, or take over payment to their own account. To avoid this, cross-check email addresses, verify with phone contact, and talk to them in person.

36. According to the ACCC, in Australia, the average losses to invoice fraud are more than five times higher than the average losses in the same period last year.

Invoice fraud is a criminal act that impacts all stakeholders of a business regardless of size or shape. However, the primary targets are business executives or junior employees. Employees of lower rank, or who aren’t versed in current scam trends, are more likely to fall victim to invoicing fraud. The outcomes are only getting worse, with more and more people becoming victims each year.

37. An invoice fraud victim lost over $16,000 in a single transaction after a scammer used the email of a staff member to send an invoice with ‘updated bank details to a customer.

Scamwatch states that in one instance, a staffer was scammed by invoicing fraud during an attack that cost over $16,000 in a single transaction. If an employee notices an attack, they should talk to their Area Manager and Chief Financial Officer to either stop the attack or keep it from happening in the future. For example, checking software updates, changing email settings, and using strong multi factor authentication are good methods to mitigate the risk.

Sadly, even top major businesses are victims of invoice fraud. Some of the big headlines to come out of the FBI’s recent report include the Shark Tank Investor and Amazon case studies. In the Amazon case, a hacker influenced data to fool the system and process over $19 million in fake transactions.

39. Attacks that employed invoice or payment fraud jumped by 155%. It was discovered to be the most pervasive type of BEC tactics.

Hackers nowadays use several BEC tactics to break into financial accounts. Such tactics include spear phishing and the theft of login credentials. Generally, the most common choice tactic is targeting large enterprises with payment fraud and invoice fraud because they can reap more money. Victims might not be able to detect their security was compromised, especially with such a simple hack process.

FAQs

The most common risks in supply chain companies are data leaks, supply chain breaches, and malware attacks. Data leaks can come from both internal and external sources. Intrusions and breaches by internal threats, including competitors, managers, and hackers, may release confidential business information.

Most security breaches happen when a hacker or a malicious user gains access to an operating system or network without authorization.

Companies should always stay vigilant to threats against their supply chain, and when adding security or protection. CFOs should be mindful of all the risks, including the third party vendors they partner with. The greatest risk in the supply chain is unverified or dishonest vendors. If you do not verify a vendor and instead you take their word, that is not enough to take proper security precautions.

For CFOs to be able to prioritise cyber security in their supply chain, it’s critical not to take shortcuts when it comes to third-party due diligence and screening. The typical process includes screening, verification, and creating policies like zero-trust to minimise the chance of attack.

Although no business is completely safe from supply chain threats. Companies can minimise the risk of attacks and minimise the fallout in the event of an attack by proactively communicating with their IT department and taking action quickly.

Those in a leadership position must follow a comprehensive response plan in order to ensure an efficient response to supply chain attacks. The documented plan must detail each leader’s role at each stage of the incident.

Subscribe to our blog

Subscribe to the eftsure blog to receive updates when we post.

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.