More than six in 10 businesses have lost faith in Microsoft and other traditional IT vendors to protect their data from a growing rash of software supply chain attacks, according to a cybersecurity survey of IT decision-makers and security professionals.
The 2021 Global Security Attitude Survey of 2,200 professionals who oversee IT was commissioned by the cybersecurity firm CrowdStrike and conducted by third-party research firm Vanson Bourne from September to November. It found that the “organizations are losing trust in legacy IT vendors as supply chain attacks pose a larger threat on businesses” in a dozen industries ranging from retail to health care.
Michael Sentonas, chief technology officer for CrowdStrike, told The Washington Times in an email that survey respondents reported “grappling with the inherent vulnerabilities that legacy software and technology places on their networks and systems.”
“In fact, 63% of respondents admitted that their organization is losing trust in legacy vendors, like Microsoft, due to frequent security incidents against these previously trusted technology suppliers,” Mr. Sentonas said Tuesday.
Cyberattacks during Microsoft software updates, in reply-all emails on Microsoft email servers and in email attachments with hidden ransomware have increasingly held U.S. businesses hostage in elaborate data extortion schemes.
More than two-thirds of U.S. organizations reported facing a ransomware attack in the past 12 months and the average ransomware payout is $1.55 million this year, up from $999,000 in 2020.
“Organizations are going to have to consider modern, cloud-native technologies designed to enhance their cyber resiliency and mitigate attacks against the software supply chain,” Mr. Sentonas said, suggesting that moving data from software-based systems to cloud-based storage will help secure it.
Contacted for comment, a Microsoft spokesperson emailed a statement to the Times and noted that the company has prevented over 70 billion attacks on its nearly 650,000 clients over the past year.
“This week we announced the result of a sustained effort to proactively take down nation-state attack infrastructure, protecting both our customers and the wider industry. We believe this is more valuable to our customers than self-serving market research that attacks fellow defenders,” the spokesperson wrote.
On Tuesday, Microsoft Corporate Vice President Tom Burt said the U.S. District Court for the Eastern District of Virginia had authorized the company to disrupt the hacking group known as “Nickel” in a series of 24 lawsuits against 10,000 malicious websites.
In the CrowdStrike survey, 81% of respondents said they “believe software supply chain attacks have the potential to become one of the biggest cyber threats to organizations like theirs within the next three years.”
The survey also showed U.S. organizations getting worse at detection compared to the rest of the world.
While the global average for IT specialists to detect a cybersecurity incursion is 146 hours in 2021, up from 117 hours in 2020, the U.S. average is now 165 hours.
That means the U.S. has shifted from being below the global average in 2020 — when it took U.S. organizations an average of 97 hours to detect a security incident — to be above the average.
The 2021 U.S. average is now the second highest globally, trailing India’s 358-hour average.
The U.K. and the Middle East currently have the fastest average detection rates — 66 hours and 63 hours, respectively, CrowdStrike reported in the survey.
Vanson Bourne conducted the interviews of senior IT decision-makers and IT security professionals in September, October and November.
Respondents were limited to organizations with 100 or more employees in the private and public sectors. Interviews were split equally between senior IT decision-makers and IT security professionals and equally between organizations of 100-1,999 employees and 2,000 or more employees.
The industries represented in the survey were aerospace, automotive and engineering; biotechnology and pharmaceuticals; energy, utilities, oil and gas; financial services and insurance; health care; hospitality, entertainment, food, beverages and media; IT, technology and telecoms; manufacturing and production; retail; transport; public sector; and other commercial sectors.