- Businesses are expected to incur nearly $46 billion in costs from software supply chain attacks globally this year, according to a study Juniper Research released Thursday.
- Financial losses attributed to software supply chain cyberattacks will jump 76% and cost the global economy almost $81 billion in lost revenue and damages by 2026, the research found.
- Organizations in healthcare, finance, government and automotive are expected to bear the majority of these costs, according to Juniper Research.
Absent significant structural changes to software supply chain security management, unsuspecting organizations will continue to fall victim to cyberattacks linked to a piece of software in their environment.
Juniper Research analysts pin the continued jump in costs to organizations’ insufficient cybersecurity resources, a failure to recognize the value of the data and processes they interact with, and a lack of awareness about what constitutes this persistent threat.
The supply chain attack against 3CX in March stresses the extent to which these attacks can accelerate and damage many downstream victims. The compromise of 3CX and its build environment occurred when a 3CX employee used their credentials to download and install malware-laced X_Trader software from Trading Technologies, according to Mandiant.
Mandiant Consulting CTO Charles Carmakal, at the time, described it as the first multitiered supply chain attack where the software supply chain attack of one company led to the software supply chain attack of another company and product.
The software supply chain attack against X_Trader claimed at least four additional victim organizations, according to the Symantec Threat Hunter Team.
Bolstering the security of software is a core tenet of the White House’s national cybersecurity strategy. Cyber authorities in the White House and the Cybersecurity and Infrastructure Security Agency want to shift the responsibility for security on software, hardware and platform providers onto the vendors developing and selling those products.
Some vendors have pushed back on the secure-by-design and secure-by-default principles outlined in the strategy, Acting National Cyber Director Kemba Walden told journalists during a briefing last month at the RSA Conference.
U.S. officials are assessing how far they can go in achieving this responsibility shift. Most experts acknowledge congressional legislation will be required, but Walden said a software liability regime from the current Congress is unlikely.