("SolarWinds letters" by sfoskett is licensed under CC BY-NC-SA 2.0)

The Identity Theft Resource Center (ITRC) on Monday reported that the 1,862 data compromises it recorded in 2021 was up more than 68% compared with 2020 — and for last year, cloud-based supply chain attacks were classified as the fourth most common attack vector.

In other important findings from the ITRC report, ransomware-related data breaches have doubled in each of the past two years. At the current rate, the ITRC said ransomware will surpass phishing as the No. 1 root cause of data compromises in 2022. Also in the report, the manufacturing and utilities sector saw the largest percentage increase in data compromises at 217% over 2020.

The continued explosion of ransomware and associated data loss has been exacerbated by the ever-growing collection of digital data on individuals by not only the entities consumers do business with, but also marketing groups that compile and collect data on potential customers at a significant rate, said Erich Kron, security awareness advocate at KnowBe4.

“Data, even just metadata, has a significant value and is therefore collected at staggering rates,” Kron said. “While data being lost due to ransomware is exceeding losses due to phishing emails, ironically, email phishing is also the primary way that ransomware is being spread, so a strong defense against one, is also very beneficial toward the other.” 

Oliver Tavakoli, CTO at Vectra, added that one year since the SolarWinds hack was publicly disclosed, supply chain attacks and ransomware have been in the news and top-of-mind for security professionals and the software development community. In working on these supply chain issues, security teams have been asking more questions about the security practices of their software suppliers, as well as building their own capability to detect when software they intentionally procured shows signs of being possessed.

“So one year later we are (somewhat) wiser and less trusting of what we get from others,” Tavakoli said. “Time will tell if that will be enough to head off new variants of supply chain attacks over the coming years. The upside to nation states which succeed at these types of hacks is too great to imagine that the demand will wane.”

Stefano De Blasi, cyber threat intelligence analyst at Digital Shadows, said the SolarWinds incident was a powerful reminder of the importance of third-party risk monitoring in security programs.

“To improve their security posture, all organizations should not automatically grant access and permissions to third-party software and hardware,” De Blasi said. “They should instead constantly verify these devices, users, and programs operating within or alongside their perimeter. The zero-trust architecture framework embodies this strategy principle that organizations should adopt to improve their security.”

Sam Jones, vice president of product management at Stellar Cyber, said the proliferation of software as a service (SaaS) in the enterprise has made great improvements for business operations, but it comes with rapidly growing risks through supply chain exposure.

“Many enterprises use hundreds of SaaS applications and realistically do not know what data is stored where, what are all the SaaS-based dependencies on critical business operations, and don’t have any defensive monitoring in place for their SaaS landscape,” Jones said. “There has always been supply chain risk, but that risk is growing exponentially as SaaS has taken over many verticals."