惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
Recent Commits to openclaw:main
Recent Commits to openclaw:main
H
Heimdal Security Blog
SecWiki News
SecWiki News
H
Hacker News: Front Page
N
News | PayPal Newsroom
L
LINUX DO - 最新话题
N
News and Events Feed by Topic
TaoSecurity Blog
TaoSecurity Blog
AI
AI
C
Cybersecurity and Infrastructure Security Agency CISA
Scott Helme
Scott Helme
PCI Perspectives
PCI Perspectives
S
Securelist
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Cyberwarzone
Cyberwarzone
A
Arctic Wolf
Forbes - Security
Forbes - Security
T
Tor Project blog
Spread Privacy
Spread Privacy
WordPress大学
WordPress大学
I
Intezer
Martin Fowler
Martin Fowler
Help Net Security
Help Net Security
P
Proofpoint News Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Cisco Talos Blog
Cisco Talos Blog
Latest news
Latest news
博客园 - 司徒正美
W
WeLiveSecurity
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
V
V2EX
P
Palo Alto Networks Blog
Google DeepMind News
Google DeepMind News
IT之家
IT之家
阮一峰的网络日志
阮一峰的网络日志
V
Vulnerabilities – Threatpost
Jina AI
Jina AI
S
Security Affairs
Hacker News - Newest:
Hacker News - Newest: "LLM"
Simon Willison's Weblog
Simon Willison's Weblog
Project Zero
Project Zero
T
Threatpost
P
Privacy International News Feed
人人都是产品经理
人人都是产品经理
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - Franky
Hugging Face - Blog
Hugging Face - Blog
Apple Machine Learning Research
Apple Machine Learning Research

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
Organizations can’t keep up with supply chain security musts
Connor Jones Connor Jones · 2025-06-26 · via The Register - Security: CSO

CSO

Supply chain attacks surge with orgs 'flying blind' about dependencies

Who is the third party that does the thing in our thing? Yep. Attacks explode over past year

The vast majority of global businesses are handling at least one material supply chain attack per year, but very few are doing enough to counter the growing threat.

New research from SecurityScorecard shows organizations and their security leaders are gravely concerned about supply chain risks. 88 percent of the 550 CISOs and other security higher-ups surveyed expressed worry over supply chain security, but far fewer than half actually monitor security fully across their external suppliers.

Nearly four in five organizations (79 percent) say that less than half of their nth-party supply chain – "nth-party" refers to the dependents and dependencies of their third-party suppliers – is overseen by a cybersecurity program.

"This means the vast majority of organizations are flying blind when it comes to securing the supply chains that keep their businesses running," said SecurityScorecard in its report.

"In fact, 36 percent of respondents revealed that only 1-10 percent of their supply chain is protected, a sharp indicator amid the rising tide of third-party breaches."

Risk assessments are often completed using questionnaires, self-reported ones at that ...

For those organizations that have the visibility into their wider supply chain, it's likely that the data they get back makes for grim reading. 

Nearly two-thirds (62 percent) of security leaders said that less than half of their third and nth-party suppliers match their own organization's security requirements. 

"At the very least, you would expect your third-party and nth-party vendors to match your company's security protocols," said SecurityScorecard. "But that's simply not the case."

The apathy from or inability of both customers and their suppliers to monitor supply chain security and meet security standards respectively, naturally leads to an unwelcome number of attacks.

71 percent of security leaders reported that their organization had experienced at least one incident which had a material impact on their business in the past year alone.

More than a third (37 percent) experienced three or more of these, and 5 percent suffered 10 or more attacks linked to external entities across their supply chain over the same period.

Supporting the vendor's findings is Verizon's data breach investigations report 2024, in which it noted there was a global 100 percent increase in third-party breaches across the year. These incidents comprised 30 percent of the total number of attacks in 2024, up from 15 percent the year before.

Visibility is one of the major issues affecting organizations' susceptibility to supply chain attacks, but where there is a will to improve, there often is not a way.

The most common blockade to supply chain security is a data overload, the report noted. When the responsibility for managing supply chain security so often falls to the security operations center (SOC) team, which are generally known for being inundated with alerts on the best of days, it's not a surprising finding that it continues to be a pain point for organizations.

What's the solution?

Talk to most cybersecurity experts and you'll hear them preach the value of cyber resilience. The NCSC certainly does, and has done for years. 

Cyber resilience generally refers to reaching a point where an organization can confidently and effectively detect, neutralize, and recover quickly from any kind of cyber attack. 

Ideally, the first two steps would prevent the third from being a requirement, but this is the real world.

While not so easy to achieve, ensuring your organization is doing the basics right can go some way in mitigating the adverse effects of a third-party security breach.

For SecurityScorecard, it said: "achieving true resilience requires a holistic supply chain cybersecurity strategy." Its data suggested that most organizations aren't taking all the necessary steps, or when they are, they're not always being done as effectively as they could be.

For example, one aspect of a supply chain security strategy, and one that can resolve the visibility issues organizations face, is to carry out risk assessments on all supply chain members.

Over half of respondents (56 percent) take this step, although 36 percent say they experience difficulties in getting useful responses.

This is likely because risk assessments are often completed using questionnaires, self-reported ones at that, which invariably leads to biased and unverified conclusions.

The most common step to tackle supply chain risks is to take out a cyber insurance policy that specifically covers such events – 63 percent of all organizations have coverage for worst-case scenarios.

Most organizations also train their employees on cybersecurity awareness, and carry out continuous monitoring, but of all the other risk-reducing strategies only a minority of security leaders said they made use of them.

Only 38 percent of organizations have formal onboarding and offboarding processes when it comes to introducing or removing vendors from their environments, for example. A similarly low percentage speak with their vendors about their security issues to identify the root cause, and even fewer (26 percent) carry out joint tabletop exercises with them.

SecurityScorecard said: "The way most organizations manage supply chain cyber risk isn't keeping pace with the expanding threats. Regaining a true sense of security means investing in not just identifying risk, but in responding to those risks in real time. 

"While traditional third-party risk management had its place, it's time for leaders to move beyond prevention and toward resilience. The next wave of third-party cyber incidents won't wait for better processes. 

"In an era of systemic threats, resilience can't wait. It must be built now – from the inside out." ®