Market Overview

Supply Chain Attacks on the Rise as One of the Biggest New Threat Vectors as Organizations Scramble to Close Gaps


Global research survey discovers companies lack visibility, awareness
to combat supply chain attacks despite the majority having experienced

CrowdStrike® Inc., the leader in cloud-delivered endpoint protection,
today announced the results of its global supply chain survey, Securing
the Supply Chain, produced by independent research firm Vanson
. The study surveyed 1,300 senior IT decision-makers and IT
security professionals in the US, Canada, UK, Mexico, Australia,
Germany, Japan, and Singapore across major industry sectors.

The survey concludes that although nearly 80 percent of respondents
believe software supply chain attacks have the potential to become one
of the biggest cyber threats over the next three years, few
organizations are prepared to mitigate the risks. More specifically:

  • Two-thirds of the surveyed organizations experienced a software supply
    chain attack in the past 12 months. At the same time, 71 percent
    believe their organization does not always hold external suppliers to
    the same security standards.
  • The vast majority (87 percent) of those that suffered a software
    supply chain attack had either a full strategy in place, or some level
    of response pre-planned at the time of their attack.
  • Only 37 percent of respondents in the US, UK and Singapore said their
    organization has vetted all suppliers, new or existing in the past 12
    months and only a quarter believe with certainty their organization
    will increase its supply chain resilience in the future.
  • 90 percent of respondents confirmed they incurred a financial cost as
    a result of experiencing a software supply chain attack. The average
    cost of an attack was over $1.1 million dollars.

While supply chain threats can occur in every sector of the economy, the
industries that mostly experience these attacks are biotechnology and
pharmaceuticals, hospitality, entertainment and media, and IT services.
Following last year's NotPetya attack and with GDPR in effect,
organizations are more concerned about vetting their suppliers and
partners. In fact, 58 percent of senior IT decision-makers whose
organization has vetted software suppliers in the past 12 months stated
that they will be more rigorous when evaluating their partners, and
nearly 90 percent agree security is a critical factor when making
purchasing decisions surrounding new suppliers.

Although almost 90 percent of the respondents believe they are at risk
for supply chain attack, companies are still slow to detect, remediate
and respond to threats. On average, respondents from nearly all of the
countries surveyed take close to 63 hours to detect and remediate a
software supply chain attack, while the leading organizations aim to
eject an adversary in less than two hours, also known as "breakout
time," according to prior CrowdStrike research. However, the study
indicates that organizations are looking to adopt leading approaches to
breach protection such as behavioral analytics, endpoint detection and
response, and threat intelligence, with three quarters of respondents
using or evaluating these technologies.

"Fast-moving, advanced threats like supply chain attacks require
organizations to adopt new best practices in proactive security and
incident response. Our Services team has been called in to support many
companies that have suffered business-critical consequences as a result
of these prevalent threats," said Shawn Henry, president of CrowdStrike
Services and chief security officer. "The new attack methods we see
today call for coordinated, efficient and agile defenses. CrowdStrike is
supporting customers with a compelling combination of endpoint
protection technology, expert services, and intelligence to uncover
critical investigation information faster, accelerate incident response,
and enable companies to get back to business as quickly as possible."

According to Gartner, "Software- and hardware-based supply chain attacks
are also trending up… Consequently, monitoring higher layers for
behavior indicative of an attack is crucial to obtain better protection
against advanced adversaries. EDR capabilities are a prerequisite to
enable behavioral-based attack detection."1

CrowdStrike is the pioneer of cloud-delivered endpoint protection.
Leveraging artificial intelligence (AI), the
CrowdStrike Falcon® platform
is the new standard for endpoint
protection. Recently, the company was recognized as a Leader in The
Forrester Wave™: Endpoint Security Suites, Q2 2018 report
and was
positioned the highest in ability to execute and furthest in
completeness of vision in the Visionaries Quadrant of the 2018 Gartner
Magic Quadrant for Endpoint Protection Platforms (EPP).2

For additional information, review the Supply Chain Survey Report here
or read a blog by Dan Larson, CrowdStrike's vice president of Product
Marketing here.

About CrowdStrike®

CrowdStrike is the leader in cloud-delivered endpoint protection.
Leveraging artificial intelligence (AI), the CrowdStrike Falcon®
platform offers instant visibility and protection across the enterprise
and prevents attacks on endpoints on or off the network. CrowdStrike
Falcon deploys in minutes to deliver actionable intelligence and
real-time protection from Day One. It seamlessly unifies next-generation
AV with best-in-class endpoint detection and response, backed by 24/7
managed hunting. Its cloud infrastructure and single-agent architecture
take away complexity and add scalability, manageability, and speed.

CrowdStrike Falcon protects customers against all cyber attack types,
using sophisticated signatureless AI and Indicator-of-Attack (IOA) based
threat prevention to stop known and unknown threats in real time.
Powered by the CrowdStrike Threat Graph™, Falcon instantly correlates
over 100 billion security events a day from across the globe to
immediately prevent and detect threats. There's much more to the story
of how Falcon has redefined endpoint protection but there's only one
thing to remember about CrowdStrike: We stop breaches.

You can gain full access to CrowdStrike Falcon Prevent™ by starting your
free trial here.

Learn more:
us: Blog
| Twitter

About Vanson Bourne

Vanson Bourne is an independent specialist in market research for the
technology sector. Their reputation for robust and credible
research-based analysis is founded upon rigorous research principles and
their ability to seek the opinions of senior decision makers across
technical and business functions, in all business sectors and all major
markets. For more information, visit

Gartner does not endorse any vendor, product or service depicted in
its research publications, and does not advise technology users to
select only those vendors with the highest ratings or other designation.
Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, expressed or implied, with respect to
this research, including any warranties of merchantability or fitness
for a particular purpose

© 2018 CrowdStrike, Inc. All rights reserved. CrowdStrike®, CrowdStrike
Falcon®, CrowdStrike Threat Graph™, CrowdStrike Falcon Prevent™, Falcon
Prevent™, CrowdStrike Falcon Insight™, Falcon Insight™, CrowdStrike
Falcon Discover™, Falcon Discover™, CrowdStrike Falcon Intelligence™,
Falcon Intelligence™, CrowdStrike Falcon DNS™, Falcon DNS™, CrowdStrike
Falcon OverWatch™, Falcon OverWatch™, CrowdStrike Falcon Spotlight™ and
Falcon Spotlight™ are among the trademarks of CrowdStrike, Inc. Other
brands may be third-party trademarks.

1 Gartner, Roadmap for Improving Endpoint Security,
Published:19 June 2018 ID: G00343353, Analyst(s) Peter Firstbrook

2 Gartner, Magic Quadrant for Endpoint Protection Platforms,
Published: 24 January 2018 ID: G00325704, Analyst(s): Ian McShane |
Avivah Litan | Eric Ouellet | Prateek Bhajanka

View Comments and Join the Discussion!