Security threats have heightened the supply chain challenges enterprises have faced over the past two years, and a new ISACA survey report finds only 44% of IT professionals surveyed have high confidence in the security of their organization’s supply chain.
Furthermore, 30% said their organization’s leaders don’t have a sufficient understanding of supply chain risks, and the future doesn’t look much better—53% said supply chain issues will stay the same or worsen over the next six months, according to the report by the professional association, which focuses on IT governance.
The report includes responses from more than 1,300 IT professionals with supply chain insight, 25% of whom noted that their organization experienced a supply chain attack in the last 12 months, the ISACA said.
Survey respondents cited five supply chain risks as their key concerns:
- Ransomware (73%)
- Poor information security practices by suppliers (66%)
- Software security vulnerabilities (65%)
- Third-party data storage (61%)
- Third-party service providers or vendors with physical or virtual access to information systems, software code, or IP (55%)
“Our supply chains have always been vulnerable, but the COVID-19 pandemic further revealed the extent to which they are at risk from a number of factors, including security threats,” said Rob Clyde, past ISACA board chair, NACD board leadership fellow, and executive chair of the board of directors for White Cloud Security, in a statement. “It is crucial for enterprises to take the time to understand this evolving risk landscape, as well as to examine the security gaps that may exist within their organization that need to be prioritized and addressed.”
SEE: Mobile device security policy (TechRepublic Premium)
Better governance needed
When it comes to taking action, 84% indicated their organization’s supply chain needs better governance than what is currently in place. Nearly one in five said their supplier assessment process does not include cybersecurity and privacy assessments.
Additionally, 39% of respondents said they have not developed incident response plans with suppliers in case of a cybersecurity event and 60% have not coordinated and practiced supply chain-based incident response plans with their suppliers. Nearly half of respondents (49 percent) said their organizations do not perform vulnerability scanning and penetration testing on the supply chain.
“Managing supply chain security risk requires a multi-pronged approach entailing regular cybersecurity and privacy assessments and the development and coordination of incident response plans, both in close collaboration with suppliers,” said John Pironti, president of IP Architects and a member of the ISACA Emerging Trends Working Group, in a statement. “Building strong relationships with your organization’s suppliers and establishing ongoing channels of communication is a key part of ensuring that reviews, information sharing, and remediations happen smoothly and effectively.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How to strengthen IT supply chain security
Pironti outlined some key steps that organizations should take when working to strengthen their IT supply chain security:
- You cannot protect what you do not know. Develop and maintain an inventory of suppliers and the capabilities they provide.
- Require disclosure of open-source software components.
- Conduct a threat and vulnerability analysis of key third parties for your business.
- Create a technical and organizational measures contract addendum for supply chain contracts.
- Trust, but verify. Conduct evidence-based reviews of key third parties.
“To advance digital trust, there needs to be a level of confidence in the security, integrity, and availability of all systems and suppliers,” said David Samuelson, ISACA CEO, in a statement. “As we have seen from previous incidents, customers do not differentiate between an attack on an element of your supply chain and an attack on your own systems. Now is the time to take swift and meaningful actions to improve supply chain security and governance.”