Ransomware is the top supply chain risk facing organization today, according to a survey released Monday by ISACA, a consortium of IT professionals with 140,000 members in 180 countries.
The survey, based on responses from more than 1,300 IT professionals with Supply Chain Insights, found that nearly three-quarters of respondents (73%) said ransomware was a major concern when considering supply chain risks to their organizations .
Other major concerns include poor information security with physical or virtual access to information systems, software by suppliers (66%), software security vulnerabilities (65%), third-party data collection (61%) and third-party service providers or vendors. exercises were included. Code or IP (55%).
The increased concern about ransomware can be because it can take a double whammy for an organization.
“First, there is the risk of an attacker finding an attack path into an organization from a compromised vendor or software dependency, as we saw with the SolarWinds and Kasia attacks, which saw a large number of downstream victims travel through that supply chain. impressed,” Chris explained. Clements, vice president of solution architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.
“Then there are secondary effects,” he continued, “where a ransomware gang can steal data stored on a third-party provider and attempt to take out both organizations by threatening to release it publicly if the ransom is not paid. Can do.”
“The other side of the coin is that a ransomware attack on an organization’s supply chain can cause significant operational disruption if the third party it depends on is unable to provide services because of a cyberattack,” he told TechNewsWorld. .
Those attacks on the software supply chain can have a ripple effect on the physical supply chain. Eric Krone, security awareness advocate for KnowBe4, a security awareness training provider in Clearwater, Fla., said, “Ransomware contributes to significant disruptions in the already taxing supply chain when the systems that manage the creation and delivery of goods and services are compromised. is taken offline.”
“This could affect the ordering and tracking of inventory of materials needed to make the item, could affect the tracking of the status of items needed to fill orders and could cause problems with customers receiving materials, their could create shortages for customers,” he told TechNewsWorld.
“In a world of on-time order fulfillment, any delay can affect the supply chain, affecting more and more people along the way,” he said.
Nearly a third of the IT professionals surveyed (30%) disclosed that the leaders of their organizations did not have an adequate understanding of supply chain risk. “The fact that it was only 30% was somewhat encouraging,” ISACA Board of Directors Rob Clyde told TechNewsWorld. “A few years ago this number would have been much higher.”
“I think a lot of ignorance comes from underestimating the number of dependencies and their criticism of how an organization operates,” Clements said.
“These third-party tools, by their nature, often require administrative rights for many, if not all, of the customer’s devices they interact with, meaning that only one of these vendor’s agreements is for their customer. Might be enough to completely compromise the atmosphere.”
“Likewise, there is often an ignorance of how much organizations rely on third-party vendors,” he adds, “most organizations do not have a ready-to-go fallback plan if a major provider such as their email The communications platform had to have an extended outage.”
Even in situations where leaders understand the risks to their supply chains, they will not make mistakes in terms of security. “In situations where companies have to choose between security and development, every time you see them choosing growth,” says Casey Bisson, head of product and developer relations for BlueBracket, a cybersecurity services company in Menlo Park, Calif. he said.
“It comes at the risk of their customers. It comes at the risk of the company itself,” he told TechNewsWorld. “But increasingly, we’re starting to see executives being held accountable for those choices.”
The ISACA survey also found a strong vein of pessimism among IT professionals about the security prospects of their supply chains. Only 44% indicated they had high confidence in the security of their organization’s supply chain, while 53% expected supply chain issues to remain the same or get worse over the next six months.
Source: Isaka | Understanding Supply Chain Security Gaps | 2022 Global Research Report
One of the more surprising findings of the survey was that 25% of organizations said they had experienced a supply chain attack in the past 12 months. “I didn’t think it would be anywhere near that high,” Clyde said.
“While many organizations have experienced cyberattacks in the past 12 months, I didn’t think there would be many to blame for a supply chain problem. If we had asked this question many years ago, it would have been a much smaller number. , “They said.
Meanwhile, more than eight in 10 of tech experts (84%) said their supply chains needed better governance than they do now.
“It just doesn’t work the way we try to authenticate supply chain partners today,” said Andrew Hay, COO of Lares, an information security consulting firm in Denver.
“We either generate an arbitrary score based on external scan data and IP-based confidence or we try and force them to fill out 100 or more questions on a spreadsheet,” he told TechNewsWorld. “Neither accurately reflects how secure an organization is.”
need for auditing
Many factors come into play when trying to secure a supply chain, said Mike Parkin, a senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk prevention in Tel Aviv, Israel.
“Organizations only have full visibility into their own environments, which means they have to trust that their vendors are following best practices,” he told TechNewsWorld. “This means they are required to cover contingencies when a third party vendor breach occurs or has a build process that severely restricts the damages that can occur if it occurs.”
“It is even more complicated when an organization needs to deal with multiple vendors to compensate for shortages or disruptions,” he continued. “Even with the right risk management tools, it can be difficult to account for everything in play.”
Krone said there should be some trust in suppliers; However, if administration is extended to verify what organizations tell us, as opposed to relying on responses to a questionnaire, a system of auditing should be established.
“This will inevitably increase costs, something that many organizations work hard to keep as low as possible in order to remain competitive,” he said.
“While this may be easy to justify for critical government or military systems, it can be a hard sell for traditional suppliers,” he said. “To add to the challenges, it may be difficult or impossible to impose a regime on foreign suppliers of goods and materials. This is not an easy challenge to tackle and will remain a topic of discussion for a long time.