With the double challenge of keeping supply chains robust and secure, a new survey from ISACA (Information Systems Audit and Control) Association examined IT professionals’ key concerns around security challenges and how their organizations are responding to them.
Supply Chain Security Gaps: A 2022 Global Research Report received responses from more than 1,300 IT professionals with supply chain insight, 25% of whom note that their organization experienced a supply chain attack in the last 12 months. Survey respondents cited these five supply chain risks as being their key concerns:
- Ransomware (73%)
- Poor information security practices by suppliers (66%)
- Software security vulnerabilities (65%)
- Third-party data storage (61%)
- Third-party service providers or vendors with physical or virtual access to information systems, software code or IP (55%)
Additionally, 30% of respondents say that their organization’s leaders do not have sufficient understanding of supply chain risks. Only 44% indicate they have high confidence in the security of their organization’s supply chain, and the same percentage has high confidence in the access controls throughout their supply chain. Their future outlook is not rosy either—with 53% saying they expect supply chain issues to stay the same or worsen over the next six months.
“Our supply chains have always been vulnerable, but the COVID-19 pandemic further revealed the extent to which they are at risk from a number of factors, including security threats,” says Rob Clyde, past ISACA board chair, and executive chair of the board of directors for White Cloud Security., in a statement.“It is crucial for enterprises to take the time to understand this evolving risk landscape, as well as to examine the security gaps that may exist within their organization that need to be prioritized and addressed.”
When it comes to taking action, 84% indicate their organization’s supply chain needs better governance than what is currently in place. Nearly 1 in 5 say their supplier assessment process does not include cybersecurity and privacy assessments. Additionally, 39% have not developed incident response plans with suppliers in case of a cybersecurity event and 60%t have not coordinated and practiced supply chain-based incident response plans with their suppliers. Nearly half of respondents (49%t) say their organizations do not perform vulnerability scanning and penetration testing on the supply chain.
“Managing supply chain security risk requires a multi-pronged approach entailing regular cybersecurity and privacy assessments and the development and coordination of incident response plans, both in close collaboration with suppliers,” says John Pironti, president of IP Architects and a member of the ISACA Emerging Trends Working Group, in a statement. “Building strong relationships with your organization’s suppliers and establishing ongoing channels of communication is a key part of ensuring that reviews, information sharing and remediations happen smoothly and effectively.”
Pironti outlined some key steps that organizations should take when working to strengthen their IT supply chain security:
- You cannot protect what you do not know. Develop and maintain an inventory of suppliers and the capabilities they provide.
- Require disclosure of open-source software components.
- Conduct a threat and vulnerability analysis of key third parties for your business.
- Create a technical and organizational measures contract addendum for supply chain contracts.
- Trust, but verify. Conduct evidence-based reviews of key third parties.
“To advance digital trust, there needs to be a level of confidence in the security, integrity and availability of all systems and suppliers,” says David Samuelson, ISACA CEO. “As we have seen from previous incidents, customers do not differentiate between an attack on an element of your supply chain and an attack on your own systems. Now is the time to take swift and meaningful actions to improve supply chain security and governance.”
ISACA also offers additional publications on the topic, including the How to Manage Supply Chain Risk ebook.
