ISACA, a leading international professional association focused on IT governance, recently released yet another survey: “Supply Chain Security Gaps: A 2022 Global Research Report” – which had over 1,300 IT professionals as respondents and addresses the main concerns of these professionals regarding supply chain security challenges and how organizations are responding to them.
Since the attack suffered by SolarWinds in late 2020, one of the largest and most sophisticated, which impacted more than 18,000 companies, managing information security in the value chain has gained importance. Image and reputation damage, lost revenue, regulatory fines and business suspension are just some of the impacts a cyber incident can have. According to John Pironti, president of IP Architects and member of ISACA’s Emerging Trends Working Group, a “cooperative approach” between companies and their suppliers is key to mitigating risks:
“Most important is to establish an ongoing channel of communication and a relationship with the security personnel of key suppliers in an organization’s IT supply chain. A partnership ensures bidirectional intelligence and information sharing to allow an organization to make informal inquiries of their suppliers on an as-needed basis instead of only during formal audit and review periods. Peer relationships with suppliers allows an organization’s risk and security personnel to have an ongoing dialogue during which information can be shared without the fear of negative impacts”, says Pironti.
Despite advances, research shows that significant improvements are still needed in third-party risk management:
- 84% of respondents indicate that their organization’s supply chain needs better governance than is currently in place.
- 61% say their risk assessments do not include supply chain risk assessments specific to devices that use artificial intelligence (AI).
- 49% say their organizations do not perform vulnerability scanning and supply chain penetration testing.
- 39% have not developed incident response plans with vendors in the event of a cybersecurity event
- 20% say their vendor assessment process does not include cybersecurity and privacy assessments.
According to the report, 25% of organizations report experiencing a supply chain attack in the last 12 months. Respondents also pointed out which are the most worrisome risks that could affect their ecosystem:
- Ransomware (73%)
- Poor information security practices by suppliers (66%)
- Software security vulnerabilities (65%)
- Third-party data storage (61%)
- Third-party service providers or vendors with physical or virtual access to information systems, software code or IP (55%)
Finally, John Pironti lists five key considerations that organizations must take into account to strengthen the security of their IT value chain:
1. You can’t protect what you don’t know: It’s critical to develop and maintain an inventory of suppliers and the resources they provide.
2. Demand disclosure of open source software components.
3. Conduct an analysis of third-party threats and vulnerabilities that are important to your business.
4. Create a supplier contract addendum with information security guidelines and requirements.
5. Trust but verify. Implement evidence-based recurring reviews.
If you would like to learn more about managing your partners and gaining visibility into the security posture of the cloud environments and on-premises attack surfaces of your third parties, please contact us.