Security Market Segment LS
Monday, 23 July 2018 20:43

Research finds Australian organisations largely unprepared for supply chain attacks


Global research conducted by security software vendor CrowdStrike reveals many companies lack visibility and awareness to combat supply chain attacks despite the majority having experienced breaches.

CrowdStrike was named by Forrester research earlier this month as the leader in Endpoint Detection and Response, with the top ranking in “current offering”, “market presence” and “strategy”, along with the highest possible score in 14 categories. Forrester previously named CrowdStrike a leader in Endpoint Security Solutions, making the company “the only named a leader in both EDR and ESS,” says Michael Sentonas, vice-president Technology Strategy, CrowdStrike.

CrowdStrike today announced the results of its global supply chain survey, Securing the Supply Chain, produced by independent research firm Vanson Bourne. The survey surveyed 1300 senior IT decision-makers and security professionals across major industries in Australia, the US, Canada, the UK, Mexico, Germany, Japan and Singapore.

A supply chain attack is a cyber attack that indirectly, initially, attacks an organisation by targeting less secure elements in the supply network. There is no industry more or less impervious or susceptible to a supply chain attack than any other, whether financial, oil, government, health or other. The Stuxnet computer worm is an example of a supply chain attack. Management experts recommend strict control of an institution’s supply network to prevent potential damage from cyber criminals.

Yet, the survey finds although nearly 80% of respondents believe software supply chain attacks have the potential to become one of the largest cyber security threats over the next three years, only few organisations are prepared to mitigate the risks.

Out of all responses around the globe, it is Australian organisations that take the longest time - 96 hours - to action a supply chain attack. By contrast, Japan acts within 54 hours.

The research reveals 77% of Australian respondents believe supply chain attacks will continue to be one of the biggest threats within the next three years, and further says Australian businesses know internally they need to invest more in cybersecurity, but the supply chain is not front of mind.

Eighty-five percent of Australian respondents believe security is a critical factor when making purchasing decisions surrounding new suppliers, and 80% of organisations state they avoid working with less-established vendors due to perceived weaknesses in security strategy, yet only 21% vet suppliers. Only 37% of respondents in the US, UK and Singapore said their organisation had vetted all suppliers — new or existing — in the past 12 months. Only 25% believed with certainty their organisation would increase supply chain resilience in the future.

Two-thirds of the organisations surveyed experienced a software supply chain attack in the past 12 months. Ninety percent confirmed they incurred a financial cost as a result of these attacks, with an average exceeding $1.1 million. Within Australia, the average cost to local businesses was more than $1.37 million, above the global average, and higher than Asia Pacific neighbours.

Having a strategy doesn’t provide immunity by itself: 87% of those that suffered an attack had a full strategy in place or some level of response pre-planned at the time of their attack.

It’s very serious, Sentonas says. “If it takes an organisation the best part of a week to try and respond to an attack, and you think about the attacks seen in 2017 — WannaCry in May and NotPetya in June — this is a lot of damage. If it’s taking half a week to respond there’s a period of time the business may have lost data and where the attacker could have established persistence inside the organisation. It can cause a lot of damage.

"It’s incumbent on enterprises of all size to be prepared for these types of issues, Sentonas says, and “having the technology in place to identify an attacker is on the network, and having the ability to effectively leverage the right skills to hunt for an attacker to mitigate an attack and to even removing them from the network.

“In my travels I see Japan and Singapore really doubling-down and investing in these areas while in Australia we still see naive debate about prevention being better than cure, as well as marketing slogans from security industry itself,” Sentonas states.

Security comes down to "survival of the fastest", Sentonas advises. “You have to think about everything you do in security – how quickly can you detect, investigate, remediate and contain.”

Benchmarking against the best in the industry means you have 60 seconds to detect an issue and incident is going on in your organisation, then 10 minutes to investigate. Once you have built a plan you have about one hour to remediate and contain it. This doesn’t relate to commodity malware — that should simply be prevented from execution immediately — but a whole range of attacks you can’t deal with proactively. These are the response rates CrowdStrike says we need to strive for, yet at 96 hours Australian organisations are way behind.

The argument cannot be whether security is nice to have, or something you do if you can. “You need to protect your sensitive information, the intellectual property that puts you into business, and your employer and customer data. There is no way of accepting that risk and saying ‘I’m not going to pay for that risk or to secure that information’. It has to be done,” Sentonas says. “You either do it yourself or work with someone who can provide the service to you.”

To that end, CrowdStrike also announced a new 24x7 platform service titled EPP Complete, to monitor and respond to threats within organisations that do not have in-house security skills or access to a reseller who can provide it for them.

CrowdStrike further recently announced a new financing round of $US 200 million, with existing investors increasing their contribution and new investors joining in. The injection of cash allows CrowdStrike “to accelerate our roadmap in some of the strategies we have in play", Sentonas says. “It’s another vote of confidence by our investors and in new investors wanting to come in, looking at what we do today, and our potential. Together with the Forrester report it has been a pretty significant time.”

Internationally, CrowdStrike now exceeds 1000 employees, including increasing its Australian staffing within sales, marketing and channel, hiring 12 people in the last four weeks.

CrowdStrike’s core Falcon product now provides for all customers using the endpoint detection and response solution to carry out incident response within the platform, empowering responders to quickly access systems from anywhere in the world, investigating, taking action and eradicating threats quickly.

A new subscription model, Falcon X, has also been announced, expanding the Falcon platform and enabling customers to be more proactive. “It turns a level one helpdesk analyst into tier security operations centre engineers,” Sentonas says. “It combines malware intelligence and threat intelligence and automates all the analysis, delivering a single simple report advising all that is going on in an organisation.”

Other announcements include enhancements to CrowdStrike’s machine learning model and more integrations to other technology providers.

“The research focused on supply chain attacks, but we need to look at what else it means. The key point is around the time it takes to respond,” Sentonas said.

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News