A new ISACA report shows that 53% of respondents believe supply chain problems will remain the same or worsen over the next six months.
Security threats have heightened the supply chain challenges businesses have faced over the past two years, and new ISACA survey report only 44% of IT professionals surveyed have high confidence in the security of their organization’s supply chain.
Furthermore, 30% said their organization’s leaders do not have an adequate understanding of supply chain riskand the future doesn’t look any better — 53% say supply chain issues will stay the same or worsen over the next six months, according to a professional association report that focuses on IT governance.
The report includes responses from more than 1,300 IT professionals with deep supply chain insights, 25% of whom noted that their organization experienced a supply chain attack in the past 12 months, ISACA said.
Survey respondents cited five supply chain risks as their main concern:
- Ransomware (seventy three%)
- Vendors have poor information security practices (66%)
- Software security vulnerabilities (65%)
- Third-party data storage (61%)
- Third-party service providers or vendors with physical or virtual access to information systems, software code or IP (55%)
“Our supply chains have always been vulnerable, but the COVID-19 pandemic has further revealed the level of risk they face,” said Rob Clyde, former ISACA board chair and NACD board member. must be from a number of factors, including security threats”. and executive chairman of the board of directors of White Cloud Security, in a statement. “It is important for businesses to take the time to understand this evolving risk landscape, as well as check for possible security vulnerabilities within their organization that need to be prioritized and addressed.”
UNDERSTAND: Mobile device privacy policy (TechRepublic Premium)
Need better governance
When taking action, 84% said their organization’s supply chain needed better governance than it does now. Nearly one in five said their supplier evaluation process did not include network security and Privacy assessments.
Additionally, 39% of respondents said they have not developed an incident response plan with suppliers in the event of a cybersecurity event, and 60% have not coordinated and practiced response plans. supply chain problems with their suppliers. Nearly half of respondents (49%) said their organizations do not perform penetration testing and vulnerability scanning across the supply chain.
“Management of supply chain security risks requires a multi-pronged approach that requires frequent privacy and cybersecurity assessments,” said John Pironti, president of IP Architects and member of ISACA. regularly, and develop and coordinate incident response plans, both of which work closely with suppliers. Emerging Trends Working Group, in a statement. “Building strong relationships with your organization’s suppliers and establishing ongoing channels of communication is an important part of ensuring that review, information sharing, and remediation take place. smoothly and efficiently”.
UNDERSTAND: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
How to strengthen IT supply chain security
Pironti outlined some key steps organizations should take as they work to strengthen their IT supply chain security:
- You can’t protect what you don’t know. Develop and maintain an inventory of suppliers and the capabilities they provide.
- Open source software components disclosure requirements.
- Conduct threat and vulnerability analysis of third parties important to your business.
- Create contract addendums on technical and organizational measures to supply chain contracts.
- Trust, but verify. Conduct evidence-based assessments by key third parties.
David Samuelson, CEO of ISACA, said: “To enhance digital trust, a level of trust in the security, integrity and availability of all systems and vendors is required. . “As we have seen from previous incidents, customers cannot distinguish between an attack on a component of your supply chain and an attack on your own systems. Now is the time to take swift and meaningful actions to improve security and supply chain governance.”
