Sophos, a network and endpoint security, announced the findings of its global survey “The Impossible Puzzle of Cybersecurity,” which reveals only 16% of IT managers consider supply chain a top security risk, exposing an additional weak spot that cybercriminals will likely add to their list of attack vectors.

The survey polled 3,100 IT decision-makers from mid-sized businesses in Australia, Brazil, Canada, Colombia, France, Germany, India, Japan, Mexico, South Africa, United Kingdom, and the United States. All respondents were from organizations with between 100 and 5,000 employees.

“Cybercriminals are always looking for a way into an organization, and supply chain attacks are ranking higher now on their list of methods,” said Chester Wisniewski, Principal Research Scientist, Sophos. “IT managers should prioritize supply chain as a security risk, but don’t, because they consider these attacks perpetrated by nation-states on high profile targets. While it is true that nation-states may have created the blueprints for these attacks, once these techniques are publicized, other cybercriminals often adopt them for their ingenuity and high success rate.”

“Supply chain attacks are also an effective way for cybercriminals to carry out automated, active attacks, where they select a victim from a larger pool of prospects and then actively hack into that specific organization using hand-to-keyboard techniques and lateral movements to evade detection and reach their destination.”

Maximum impact

The Sophos survey shows how attack techniques are varied and often multi-staged, increasing the difficulty to defend networks. One in five IT managers surveyed didn’t know how they were breached, and the diversity of attack methods means no one defensive strategy is a silver bullet.

“Cybercriminals are evolving their attack methods and often use multiple payloads to maximize profits. Software exploits were the initial point of entry in 23% of incidents, but they were also used in some fashion in 35% of all attacks, demonstrating how exploits are used at multiple stages of the attack chain,” said Chester Wisniewski, principal research scientist, Sophos.

“Organizations that are only patching externally facing high-risk servers are left vulnerable internally and cybercriminals are taking advantage of this and other security lapses.”

The wide range, multiple stages and scale of today’s attacks are proving effective. For example, 53% of those who fell victim to a cyberattack was hit by a phishing email, and 30% by ransomware. Forty-one percent said they suffered a data breach.

The report also saw that nation-state adversaries have proven how successful supply chain attacks are, which means common cybercriminals are likely to adopt the attack method. IT or security people need to realize that supply chain attacks are launchpads to emerging automated and active-adversary attacks.

The survey also found out that software exploits were the initial cause of 23% of incidents and used in 35% of cyberattacks, demonstrating how exploits are used at multiple stages of the attack chain. Phishing is not yet dead, in fact, phishing emails affected 53% of those hit by a cyberattack. The same goes for ransomware where there are 30% of attack victims.

With cyber threats coming from supply chain attacks, phishing emails, software exploits, vulnerabilities, insecure wireless networks, and much more, businesses need a security solution that helps them eliminate gaps and better identify previously unseen threats. Sophos Synchronized Security, a single integrated system, provides this much-needed visibility to threats by integrating Sophos endpoint, network, mobile, Wi-Fi, and encryption products to share information in real-time and automatically respond to incidents.