Issues with the security of supply-chain partners will be one of the biggest security threats CISOs face in coming years, a security expert has warned as new figures revive concerns that “naïve” Australian companies are failing to factor cybersecurity into their purchasing and vetting procedures.
Just a third of respondents to CrowdStrike’s Securing the Supply Chain study – which polled 1300 senior IT decision makers and IT security professionals worldwide – said they were concerned about supply-chain attacks.
Only 18 percent said they faced a high risk of attack via their supply chain, but around two-thirds admitted that their organisation had work to do to be prepared to defend against supply chain attacks. Those figures were well behind the half that named phishing or spear phishing and 46 percent that were concerned about ransomware.
Underestimating exposure to supply-chain vulnerabilities – whether from business partners or suppliers of software – raises problems not only because of the direct risk of cybersecurity compromise, but because of the risk of follow-on business issues should that compromise occur for reasons outside of their direct control.
“It’s interesting to see that everyone thinks it’s an issue but nobody is acting on it,” CrowdStrike vice president of technology strategy Michael Sentonas, told CSO Australia.
“Australians will be quite careful to work with the perceived established vendor,” he explained, “and they think that more established vendor will have greater levels of security controls in place – but then they don’t validate that.”
A matter of perception
Examination of attitudes towards partner security controls also revealed a split by job role: 37 percent of senior IT decision-makers expressed concern about supply-chain vulnerabilities, compared with 29 percent of IT security professionals felt the same.
The report attributes this difference to decision-makers’ broader visibility and sense of context, which may have led them to reach worrying conclusions about the state of cybersecurity.
Fixing that deficiency requires evaluating current cybersecurity defences and filling in any observed gaps. And with fully 64 percent of respondents admitting that their security spend is missing some key elements, there is significant room for improvement.
Yet even those expenditures are being directed in other ways, with supply-chain attacks named as a top area of IT focus by just 38 percent of IT decision-makers and 31 percent of IT security professionals.
By contrast, protecting data and early attack detection were named as top priorities by 61 percent of respondents.
The report’s authors leave little ambiguity about the problem: “supply chain attacks are being overlooked and forgotten about”, they warn.
Australian companies were amongst the least well-prepared to deal with a software supply chain attack, with just 41 percent of respondents saying they have a comprehensive strategy in place – compared with 60 percent in the US, 57 percent in the UK and 49 percent overall.
Australia too slow to respond
This comes as no surprise to Sentonas, who warned that the adoption of new approaches to supply-chain cybersecurity “is not happening fast enough” in Australia.
“Universally,” he said, “everyone is concerned about this issue – but we have found that other countries are being more aggressive in dealing with it.”
“In Australia we still have somewhat of a naïve debate in the industry about prevention vs protection – and I spend a lot of time trying to educate people that attackers are opportunistic, and will use whatever is necessary and available to them to carry out their goals.”
That’s an ominous warning for companies that, all too often, prioritise price and other factors over cybersecurity when establishing procurement and partnership relationships. Fully 62 percent of respondents agreed that their organisation can overlook software supply chain security when making IT spending decisions.
This can have dramatic consequences for organisations where a reported average 96-hour window for responding to cybersecurity breaches “is just too long”, Sentonas said.
“We have to change people’s thinking and get them to do something about this particular issue,” he explained. “This is not a place where you can say that you have a contract in place and have transferred the risk. The risk stays with the organisation, and they need to be the ones to have measures in place to stop it and deal with it.”
“At the end of the day, if you have a breach, the organisation is responsible. You can’t offload the issues and blame your partner: in this regulated world, you’re responsible – and your customers expect you to be responsible.”