SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
New report highlights top supply chain concerns for 2022
Tue, 7th Jun 2022
FYI, this story is more than a year old

Over the last two years, supply chain challenges have impacted both enterprises and consumers alike, making it harder to access certain goods and maintain business continuity.

Security threats have only heightened these concerns, and a new ISACA survey report illuminates IT professionals' key concerns around security challenges and how their organisations are responding to them.

'Supply Chain Security Gaps: A 2022 Global Research Report' received responses from more than 1,300 IT professionals with supply chain insight, 25% of whom note that their organisation experienced a supply chain attack in the last 12 months.

Survey respondents cited these five supply chain risks as being their key concerns:

  • Ransomware (73%)
  • Poor information security practices by suppliers (66%)
  • Software security vulnerabilities (65%)
  • Third-party data storage (61%)
  • Third-party service providers or vendors with physical or virtual access to information systems, software code or IP (55%)

On top of this, 30% of respondents say that their organisation's leaders do not have sufficient understanding of supply chain risks. Only 44% indicate they have high confidence in the security of their organisation's supply chain, and the same percentage has high confidence in the access controls throughout their supply chain.

Their future outlook is not promising either, with 53% saying they expect supply chain issues to stay the same or worsen over the next six months.

Rob Clyde, past ISACA board chair, NACD Board Leadership Fellow, and executive chair of the board of directors for White Cloud Security, comments, "Our supply chains have always been vulnerable, but the COVID-19 pandemic further revealed the extent to which they are at risk from a number of factors, including security threats.

"It is crucial for enterprises to take the time to understand this evolving risk landscape, as well as to examine the security gaps that may exist within their organisation that need to be prioritised and addressed."

When it comes to taking action, 84% indicate their organisation's supply chain needs better governance than what is currently in place. Nearly 1 in 5 say their supplier assessment process does not include cybersecurity and privacy assessments.

Additionally, 39% have not developed incident response plans with suppliers in case of a cybersecurity event and 60% have not coordinated and practised supply chain-based incident response plans with their suppliers.

Nearly half of respondents (49%) say their organisations do not perform vulnerability scanning and penetration testing on the supply chain.

John Pironti, president of IP Architects and a member of the ISACA Emerging Trends Working Group, says, "Managing supply chain security risk requires a multi-pronged approach entailing regular cybersecurity and privacy assessments and the development and coordination of incident response plans, both in close collaboration with suppliers.

"Building strong relationships with your organisation's suppliers and establishing ongoing channels of communication is a key part of ensuring that reviews, information sharing and remediations happen smoothly and effectively."

Pironti outlined some key steps that organisations should take when working to strengthen their IT supply chain security:

  • You cannot protect what you do not know. Develop and maintain an inventory of suppliers and the capabilities they provide.
  • Require disclosure of open-source software components.
  • Conduct a threat and vulnerability analysis of key third parties for your business.
  • Create a technical and organisational measures contract addendum for supply chain contracts.
  • Trust, but verify. Conduct evidence-based reviews of key third parties.

David Samuelson, ISACA CEO, concludes, "To advance digital trust, there needs to be a level of confidence in the security, integrity and availability of all systems and suppliers.

"As we have seen from previous incidents, customers do not differentiate between an attack on an element of your supply chain and an attack on your own systems. Now is the time to take swift and meaningful actions to improve supply chain security and governance."