Recent IT supply chain attacks such as the SolarWinds compromise, ransomware campaign that leveraged the Kaseya VSA platform or mass exploitation of the Log4j vulnerabilities have renewed focus on such attacks, which NCC Group says increased by 51% in the last half of 2021.
The consulting and managed services firm’s global survey of 1,400 cybersecurity decision makers found that organizations are taking this into consideration, noting supplier risk as a top challenge for the next six-to-12 months, with plans to increase security budgets by an average of 10% this year.
NCC Group’s research suggests that just over a third of organizations think they are more responsible for preventing, detecting and resolving supply chain attacks than their suppliers. Meanwhile, 53% said both parties are equally responsible for securing software supply chains.
Despite plenty of responsibility to go around, only half of organizations surveyed said it demand suppliers meet certain security standards as part of its contracts. Further, more than a third of organization surveyed said it does not regularly monitor and risk assess the cybersecurity arrangements with its suppliers.
Recent supply chain security issues have renewed calls for software supply chain security, including software bills of materials (SBOM) that spell out each component being used in a piece of software, including where vulnerabilities may exist.
The U.S. government last year defined the minimum elements of an SBOM, calling the document a formal record containing the details and supply chain relationships of various components used in software.
“SBOM will not solve all software security problems, but will form a foundational data layer on which further security tools, practices, and assurances can be built,” the U.S. Department of Commerce said in its report.
Many organizations work closely with its software suppliers by integrating it into its IT infrastructures to increase efficiencies and strengthen operations, but this can actually increase risk by widening potential attack surfaces, said Arina Palchik, global commercial director of remediation at NCC Group, in a statement.
That can lead to security gaps and serve as entry points for cyberattacks such, and judging from NCC Group’s repot, that is playing out.
“It’s encouraging that organizations recognize supplier risk as one of their top challenges for 2022. However, our findings uncovered specific areas for improvement including clarity around responsibility for preventing, detecting and resolving attacks and lax controls for supplier assurance,” Palchik said. “It’s important that any investment in security addresses these areas to reduce third-party risk and enable organisations to work with their suppliers in confidence.”