With the dual challenge of keeping supply chains robust and secure, a new survey from the Information Systems Audit and Control Association (ISACA) has examined the top concerns of IT professionals regarding security challenges and how their organizations respond to it.
Supply Chain Security Gaps: A Global Research Report 2022 received responses from over 1,300 IT professionals with supply chain knowledge, 25% of whom indicated that their organization had experienced a supply chain attack in the past 12 months. Survey respondents cited these five supply chain risks as their top concerns:
- Ransomware (73%)
- Poor information security practices by vendors (66%)
- Software security vulnerabilities (65%)
- Third-party data storage (61%)
- Third party service providers or vendors with physical or virtual access to information systems, software code or intellectual property (55%)
Additionally, 30% of respondents say that their organization’s leaders do not have a sufficient understanding of supply chain risks. Only 44% report having a great deal of confidence in their organization’s supply chain security, and the same percentage have a great deal of confidence in access controls throughout their supply chain. Their outlook isn’t rosy either, with 53% saying they expect supply chain issues to stay the same or get worse over the next six months.
“Our supply chains have always been vulnerable, but the COVID-19 pandemic has further revealed how threatened they are by a number of factors, including security threats,” said Rob Clyde, former chairman of the ISACA Board of Directors and Executive Chairman of the Board of White Cloud Security., in a statement. address. »
When it comes to taking action, 84% say their organization’s supply chain needs better governance than is currently in place. Nearly 1 in 5 say their vendor assessment process does not include cybersecurity and privacy assessments. Additionally, 39% have not developed incident response plans with suppliers in the event of a cybersecurity event and 60% have not coordinated and practiced supply chain-based incident response plans with their suppliers. ‘supply. Nearly half of respondents (49%) say their organizations do not perform vulnerability scanning or supply chain penetration testing.
“Managing supply chain security risks requires a multi-pronged approach involving regular cybersecurity and privacy assessments, as well as the development and coordination of incident response plans, both in close collaboration with suppliers,” says John Pironti, president of IP Architects and member of ISACA. Emerging Trends Task Force, in a statement. “Building strong relationships with your organization’s vendors and establishing ongoing communication channels are key to ensuring that reviews, information sharing, and corrective actions run smoothly and efficiently.”
Pironti outlined some key steps organizations should take when working to strengthen their IT supply chain security:
- You can’t protect what you don’t know. Develop and maintain an inventory of vendors and the capabilities they offer.
- Require disclosure of open source software components.
- Perform an analysis of threats and vulnerabilities of the main third parties for your company.
- Create an addendum to the technical and organizational measures contract for supply chain contracts.
- Trust, but verify. Conduct evidence-based reviews of key third parties.
“To advance digital trust, there must be a level of trust in the security, integrity and availability of all systems and providers,” says ISACA CEO David Samuelson. “As we’ve seen in previous incidents, customers don’t differentiate between an attack on something in your supply chain and an attack on your own systems. Now is the time to take quick and meaningful action to improve supply chain security and governance.
ISACA also offers additional publications on the subject, including the How to manage supply chain risk Ebook.