UK targeted attacks have gone from four a year to 500 a day in just two years, according to Misha Glenny, security author and journalist.
“But it is not just big corporations that are being targeted, attackers are going after everyone in the supply chain," Misha Glenny told attendees of RSA Conference Europe 2012.
In his keynote address at the start of the London conference, RSA executive chairman Art Coviello said organisations are interdependent as never before.
“An attack on one is an attack on all; organisations are crazy if they don’t act,” Coviello said, regarding research that found relatively few organisations have a mature risk-based approach to information security.
That there is no evidence of any attacks on customers in the 19 months since RSA’s security breach, has not reduced the company’s belief in the skill and determination of adversaries, said Tom Heiser, RSA president.
Supply chain vulnerability
Heiser said successful organisations are reconsidering their risk in creative ways, which includes looking at their supply chains.
“They are recognising the need to change their strategies; they accept the bad guys are in their networks; that it’s a fact of life,” said Heiser.
According to Hugh Thompson, programme chair at RSA Conference Europe 2012, there is a huge in interest in the supply chain, both for the 2012 European event in London and the 2012 US event in San Francisco.
“There is an increase in the depth of questions organisations are asking, with some requiring security attestations of suppliers of suppliers,” Thompson told Computer Weekly.
There is growing interest in finding ways to ensure a minimum security baseline throughout supply chains; and how to verify that such baselines are being adhered to.
“This is a serious issue. We have seen instance where attackers go after the weakest link in the chain and they are willing to wait a year or two before moving up the supply chain,” Thompson said.
SMEs under attack
In the past 18 months there has been a significant increase in the number of targeted attacks on small and medium businesses. This constitutes evidence of increased supply chain attacks, said Greg Day, European CTO and director of security strategy at Symantec.
Attackers know maller companies in any supply chain are typically the easiest targets, as they do not have the same security resources as larger organisations higher up.
However, growing awareness and concern about supply chain security has triggered a flood of security assessments. This is creating a new headache for IT professionals, said Day.
Paul Simmonds, co-founder of the Jericho Forum and former global CISO of AstraZeneca, said that, while supply chain security is important in some places, it is overhyped in others.
“It is important for things like the chip-and-pin supply chain, but we have known for years that network infrastructure is insecure, and if secure protocols are used, that should not matter,” he said.
For Simmonds, it is simply a question of using secure protocols for every exchange of information.
“If data is properly encrypted, why should not care if someone intercepts our data packets,” Simmonds said.