'Potentially unsecured' SMBs are propping up an IT supply chain riddled with ransomware

Abstract image showing a red circuit board containing a square chip with a glowing skull etched into it
(Image credit: Getty Images)

New research has shown that more than half of global organisations have had their supply chains impacted by potentially unsecured SMBs falling victim to ransomware attacks.

Security firm Trend Micro’s report showed that 52% of supply chains have been affected by the threat and the vast majority of those surveyed (90%) feel that either their partners and customers or both, are making them a “more attractive target” for attacks.

The same proportion of organisations that were affected by ransomware attacks in their supply chains (52%) also said that said supply chains are “very significantly” or “significantly” propped up by SMBs that may be prone to exercising less secure cyber practices.

Despite this, Trend Micro observed that organisations are reluctant to work with their partners to improve security throughout the supply chain.

“We found that 52% of global organisations have had a supply chain organisation hit by ransomware, potentially putting their own systems at risk of compromise”, said Bharat Mistry, technical director at Trend Micro.

“But many aren’t taking steps to improve partner cyber security,” he added. “The first step towards mitigating these risks must be enhanced visibility into and control over the expanding digital attack surface.”

Only 47% of organisations share information about ransomware attacks with partners or suppliers and this figure falls even lower to 25% when it comes to general threat information, the survey results showed.

This led to around one in six (15%) IT leaders reporting that they couldn’t be sure if their partner or supplier had ever suffered a ransomware attack.

Ransomware has topped the list of cyber security threats to businesses for around five years but according to Trend Micro, on average 31% of organisations still don’t feel adequately protected against the threat.

The data from other metrics were largely similar across the regions but the confidence in an organisation’s cyber security posture, looking at the data on a region-by-region basis, varied substantially.

Hong Kong was the region with the most confidence in its organisations’ cyber security resilience. An average of the 102 respondents from the region showed just 18% were unconvinced about their security posture, despite it reporting the greatest proportion of organisations by region that experienced a ransomware attack in the last three years (83%).

Other regions were more aware of the situation, such as Norway and 58% of its 105 surveyed organisations reported a lack of confidence in their cyber security resiliency.


Cold chain logistics in Europe

How to overcome the unexpected by building resilience, gaining visibility and operating sustainably


This was a more accurate reflection given the 75% of organisations reporting at least one ransomware attack in the past three years - a figure that placed it on the upper end of average compared to other nations.

Trend Micro said that “there is no silver bullet when it comes to reducing ransomware risk in the supply chain”, but there are several important steps that businesses aren’t currently taking.

“The key is first to gain a comprehensive understanding of the supply chain itself and corresponding data flows so that high-risk suppliers can be identified,” it said.

“They should be regularly audited where possible against industry baseline standards. And similar checks should be enforced before onboarding new suppliers.”

Implementing security controls such as least-privilege policies for all devices and services, enabling multi-factor authentication (MFA), scanning open source components for security flaws before building into CI/CD pipelines, and performing regular back-ups, among others, can all go a long way in becoming more cyber resilient.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.