A new report from ISACA shows that 53% of respondents believe supply chain problems will remain the same or worsen over the next six months.
Security threats have magnified the supply chain challenges businesses have faced over the past two years, and a new ISACA investigation report notes that only 44% of IT professionals surveyed have a high level of confidence in the security of their organization’s supply chain.
In addition, 30% said their organization’s leaders lack knowledge of: supply chain risksand the future doesn’t look much brighter: 53% said supply chain problems will remain the same or worsen over the next six months, according to the report from the trade association, which focuses on IT governance.
The report includes responses from more than 1,300 IT professionals with supply chain insight, 25% of whom noted that their organization has experienced a supply chain attack in the past 12 months, the ISACA said.
Survey respondents listed five supply chain risks as their top concerns:
- ransomware (73%)
- Poor information security practices by suppliers (66%)
- Vulnerabilities in software security (65%)
- Third party data storage (61%)
- Third party service providers or vendors with physical or virtual access to information systems, software code, or IP (55%)
“Our supply chains have always been vulnerable, but the COVID-19 pandemic has further revealed the extent to which they are at risk from a number of factors, including security threats,” said Rob Clyde, former ISACA chairman, NACD board member, and executive chairman of the ISACA. board of directors for White Cloud Security, in a statement. “It is critical for enterprises to take the time to understand this evolving risk landscape, and to examine the security gaps within their organization that need to be prioritized and addressed.”
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
Better governance needed
When it comes to taking action, 84% said their organization’s supply chain needs better governance than it does today. Nearly one in five said their supplier review process does not include: cybersecurity and privacy reviews.
Additionally, 39% of respondents said they have not developed incident response plans with suppliers in the event of a cybersecurity event and 60% have not coordinated and implemented supply chain-based incident response plans with their suppliers. Nearly half of respondents (49 percent) said their organizations do not perform vulnerability scanning and penetration testing in the supply chain.
“Managing supply chain security risks requires a multi-pronged approach, including regular cybersecurity and privacy assessments and the development and coordination of incident response plans, both in close collaboration with suppliers,” said John Pironti, president of IP Architects and member of ISACA . Emerging Trends Working Group, in a statement. “Building strong relationships with your organization’s suppliers and establishing ongoing communication channels is an important part of ensuring that assessments, information sharing and solutions run smoothly and effectively.”
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
How to strengthen IT supply chain security
Pironti outlined some key steps organizations should take to strengthen the security of their IT supply chain:
- You cannot protect what you do not know. Develop and maintain an inventory of suppliers and the capabilities they offer.
- Requires disclosure of open source software components.
- Conduct threat and vulnerability analysis from key third parties for your business.
- Create a contract addendum for technical and organizational measures for supply chain contracts.
- Trust, but verify. Conduct evidence-based assessments of significant third parties.
“To foster digital trust, there must be a level of trust in the security, integrity and availability of all systems and vendors,” said David Samuelson, CEO of ISACA, in a statement. “As we’ve seen from past incidents, customers don’t differentiate between an attack on any part of your supply chain and an attack on your own systems. Now is the time to take quick and meaningful actions to improve supply chain security and governance.”