Ransomware is the top supply chain risk facing organizations today, according to a survey released Monday by ISACA, an association of IT professionals with 140,000 members in 180 countries.
The survey, based on responses from more than 1,300 IT professionals with supply chain knowledge, found that nearly three-quarters of respondents (73%) said ransomware was a key concern when considering security risks. supply chain for their organizations.
Other key concerns included poor information security practices by vendors (66%), software security vulnerabilities (65%), third-party data storage (61%), and third-party service providers or vendors with access physical or virtual to information systems, code software or IP (55%).
The biggest concern about ransomware may be that it can have a double whammy on an organization.
“First, there is the risk that an attacker could find an attack path into an organization from a compromised vendor or software dependency, as we saw with the SolarWinds and Kaseya attacks that affected a large number of subsequent victims through that attack. supply chain,” explained Chris. Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Arizona.
“Then there are the side effects,” he continued, “where a ransomware gang can steal data stored on a third-party provider and try to extort money from both organizations by threatening to release it publicly if a ransom is not paid.”
“The other side of the coin is that a ransomware attack on an organization’s supply chain can cause significant operational disruption, if the third party it relies on is unable to provide services due to the cyberattack,” he told TechNewsWorld.
Those attacks on the software supply chain can have a ripple effect on the physical supply chain. “Ransomware contributes to significant disruptions in an already encumbered supply chain when systems that manage the manufacturing and distribution of goods and services go offline,” observed Erich Kron, security awareness advocate at KnowBe4, an awareness training provider. security in Clearwater, Florida.
“This can affect ordering and inventory tracking of materials needed to make items, affect status tracking of items needed to fill orders, and can create logistical issues getting materials to customers, creating shortages for your customers. ”, he told TechNewsWorld.
“In a world of just-in-time order fulfillment, any delay can ripple through the supply chain, affecting more and more people down the road,” he added.
Nearly a third of surveyed IT professionals (30%) revealed that their organization’s leaders did not have a sufficient understanding of supply chain risk. “The fact that it was only 30% was encouraging,” ISACA board director Rob Clyde told TechNewsWorld. “A few years ago, that number would have been much higher.”
“I think a lot of the ignorance comes from simply grossly underestimating the number of dependencies and their criticality to an organization’s operations,” Clements said.
“These third-party tools, by their nature, often require administrative rights to many, if not all, of a customer’s devices that they interact with, meaning that compromising just one of these vendors can be enough to fully compromise their customer environments as well.”
“Similarly, it’s often ignored how dependent many organizations are on third-party vendors,” he continued, “most organizations I know of don’t have a backup plan out of the box if a major vendor, like their email communications. the platform had a prolonged interruption”.
Even in situations where leaders understand their supply chain risks, they won’t err on the security side. “In situations where companies have to choose between security and growth, you will always see them choosing growth,” said Casey Bisson, head of developer and product relations for BluBracket, a cybersecurity services company in Menlo Park. , Calif.
“That comes at the risk of their clients. That is at the risk of the company itself,” he told TechNewsWorld. “But more and more, we’re starting to see that executives are responsible for those choices.”
The ISACA survey also found a strong streak of pessimism among IT professionals about the prospects for their supply chain security. Only 44% indicated that they are very confident in their organization’s supply chain security, while 53% expect supply chain issues to stay the same or get worse in the next six months.
Source: ISACA | Understanding supply chain security gaps | 2022 Global Research Report
One of the most surprising findings of the survey was that 25% of organizations said they had experienced a supply chain attack in the last 12 months. “I didn’t think it would be anywhere near that high,” Clyde said.
“While many organizations have experienced cyberattacks in the last 12 months, I didn’t think there would be so many attributing it to a supply chain issue. If we had asked that question several years ago, it would have been a very low number,” he added.
Meanwhile, more than eight in 10 tech experts (84%) said their supply chains needed better governance than they have now.
“The way we try to certify supply chain partners today just doesn’t work,” said Andrew Hay, chief operating officer of Lares, an information security consulting firm in Denver.
“Either we generate an arbitrary score based on external scan data and IP-based trust or we try and force them to fill out 100 or more questions in a spreadsheet,” he told TechNewsWorld. “Neither one accurately describes how secure an organization is.”
Mike Parkin, senior technical engineer at Vulcan Cyber, a SaaS provider for enterprise cyber risk remediation in Tel Aviv, Israel, noted that there are multiple factors that come into play when it comes to securing the supply chain.
“Organizations only have complete visibility into their own environment, which means they have to trust their vendors to follow best practices,” he told TechNewsWorld. “This means they need to include contingencies for when a third-party provider is breached or create a process that severely restricts the damage that can happen if it happens.”
“That’s even more complicated when an organization needs to deal with multiple vendors to make up for shortages or outages,” he continued. “Even with the right risk management tools, it can be difficult to account for all that is at stake.”
Kron added that there has to be some trust in the suppliers; however, if governance is increased to confirm what organizations are telling us, rather than simply relying on responses to a questionnaire, an auditing system must be put in place.
“This will inevitably drive up costs, something many organizations strive to keep as low as possible to remain competitive,” he said.
“While this may be easier to justify for critical government or military systems, it can be a tough sell for traditional vendors,” he said. “To add to the challenges, enforcing governance on foreign suppliers of goods and materials can be difficult or impossible to achieve. This is not an easy challenge to tackle and will continue to be a topic of discussion for quite some time.”