Cyber-attacks are costing suppliers higher auditing fees, even when it was their customer that experienced the attack, not them.
According to a recent study in Science Direct magazine, “The impact of customer firm data breaches on the audit fees of their suppliers”, a suppliers auditing fees often jump as much as 6% when a big customer experiences a cyberattack, “when the supplier itself didn’t suffer a breach.”
“It’s not enough to know that your company is secure. A cyber breach at a key customer could have a big financial impact for your company,” said Tom Smith, co-author of the study and associate professor at the University of South Florida.
“Other possible repercussions for suppliers in the wake of a cyberattack at a key customer: Earnings could be significantly lower, inventory could sit longer than expected or there may not be enough cash on hand to make debt payments, says Smith, who is also associate director at the University of South Florida’s Lynn Pippenger School of Accountancy.
“Auditors for public companies are required to account for supply-chain risk. When a company in the supply chain suffers a cyberattack, auditors may need more time or people to get a full grasp of the impact of the cybersecurity breach on a supplier’s financial statement. Accountants might also face increased litigation and reputational risk for auditing a company in the same supply chain as a company that has been hacked.”
Jason Keirstead, VP of Collective Threat Defense, Cyware:
“Today’s organizations need to broaden the scope of their security programs to include aiding in the defense of suppliers as well as the organization itself. Collective defense for supply chains enables critical intelligence sharing, operationalization, and collaboration for interconnected business ecosystems. This collaborative approach fosters a more proactive and resilient stance against cyber threats, getting beyond individual organizational boundaries.”
The fact that supply chain attacks for example are incredibly devastating show the need for everybody you deal with to be on the same page as you. There’s simply no option anymore as the threat landscape is too great.
CISA, The FBI, And MS-ISAC Release DDoS attack Guidance For The Public Sector
Posted in Commentary with tags Security on March 26, 2024 by itnerdIn a joint advisory, CISA, the FBI, and MS-ISAC has published new guidance, Understanding and Responding to Distributed Denial-Of-Service Attacks, for federal, state and local government agencies to help prevent disruption to critical services.
The advisory noted that DDoS attacks are difficult to trace and block and are commonly used by politically motivated attackers, with government websites often targeted by one of three types of DDoS attacks: Volume-based, Protocol-based attacks, and Application layer-based attacks.
The advisory also emphasized the importance of putting in place measures to maintain service availability during a DDoS attack such as increasing bandwidth capacity and implementing load balancing solutions to distribute traffic to handle sudden spikes in traffic during an attack. Also, establish redundancy and failover mechanisms to redirect traffic and regularly back up critical data to allow for fast recovery and minimize data loss.
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“Although volumetric DDoS attacks have been pretty much defeated by those who offer cloud-based DDoS defenses, protocol-based attacks and application layer-based attacks are still a resounding problem. These attacks are often low-and-slow attacks are extremely difficult to defeat in the cloud since defenses regularly end up blocking legitimate traffic.
“For those who are concerned about DDoS attacks, the best approach is a hybrid one. Subscribe to cloud-based DDoS defensive services to defeat volumetric attacks and deploy specialty-built DDoS defenses on-premises in front of your border firewalls to defeat the low-and-slow attacks. This way, all types of DDoS attacks can be defeated.”
A DDoS attack can be highly disruptive if an organization isn’t prepared to defend against one. So it is in any organization’s interest to add this to the list that they need to have a playbook for. Fortunately this joint advisory will help with that.
Leave a comment »