Industry matters when assessing cyber risk to the defense industrial base
Manufacturing and research and development companies — not simply small and medium-sized businesses (SMBs) — bear the highest risk of cyberattacks within the defense industrial base, according to a BlueVoyant report released Tuesday.
The New York City-based cybersecurity company independently analyzed available third-party data from a sample of 300 small and medium-sized defense contractors and found industry mattered more than size in determining cyberattack risk. Smaller businesses remained more susceptible within their industries.
BlueVoyant’s report comes after a string of successful cyberattacks that targeted SMBs and raised the question of whether they, with their limited defenses, offer easiest access to the supply chain. The answer is more nuanced.
“Not only are R&D firms vulnerable, they are particularly attractive to attackers,” reads the report. “R&D firms work on cutting-edge products, develop valuable IP, and often create and sell software and tech that become components in larger and more important systems — making them attractive as points of entry for malicious insertion or IP theft.”
More than half of the SMBs assessed had unsecured ports critically vulnerable to potential ransomware attacks, while 48% had those and other severe vulnerabilities, like outdated software or operating systems, rendering them “high risk.”
Nearly 20% of the SMBs had multiple vulnerabilities and showed evidence of threat targeting, while 7% deemed “critical risk” had been compromised in some way.
BlueVoyant found 28% of the firms would likely fail to meet the most basic, level 1 Cybersecurity Maturity Model Certification requirements. That statistic is more troubling with nation-state adversaries and cybercriminals proving increasingly adept at finding the weakest link within supply chains and when exploitable weaknesses abound among SMBs.
Roughly 300,000 companies directly contract with the Department of Defense, and its CMMC requires “significant investment” in new controls from SMBs with limited budgets and technical expertise, according to the report.
Meanwhile, contract primes and other large companies are under “enormous pressure” to reduce the attack surface of their supply chains, without full visibility into the network security of the subcontractors they’re responsible for, according to the report. The financial and logistical costs of designating subcontractors to CMMC tiers and ensuring their compliance isn’t cheap, especially when one business’ tier may vary contract to contract — causing some primes to force their subcontractors to level up.
While BlueVoyant had no way of determining firms’ cybersecurity maturity in line with CMMC compliance, it did recommend companies use continuous cyber monitoring to secure their supply chains. More than six months after the announcements of the F5 and Microsoft Exchange vulnerabilities, nine companies that were either small manufacturers or large R&D companies still hadn’t addressed them due, in part, to reliance on point-in-time compliance assessments.
Most vulnerabilities SMBs had were tied to email security protocols or else unsupported software, suggesting a lack of patching policies and continuous monitoring, according to the report.
Primes should further focus on addressing issues with high-risk subcontractors based on industry and then size, BlueVoyant recommended.
The company believes predictive risk analysis of SMBs is ultimately possible but said a sample size larger than 300 businesses is needed.
