The greatest risk of ransomware to the supply chain in the minds of IT professionals

Ransomware is one of the top supply chain risks facing organizations today, according to a survey released on Monday. ISACAAn association for IT professionals with 140,000 members in 180 countries.

Ransomware is important when considering supply chain risks to an organization, with nearly three-quarters (73%) of respondents in a survey based on responses from more than 1,300 IT professionals with supply chain insights. It states that it is a concern.

Other major concerns include suppliers (66%), software security vulnerabilities (65%), third-party data storage (61%), and third parties with physical or virtual access to information systems and software. Includes inadequate information security practices by party service providers or vendors. Code or IP (55%).

Raising concerns about ransomware may be due to the potential for double impact on the organization.

“First, as seen in the SolarWinds and Kaseya attacks that affected a large number of downstream victims across the supply chain, attack vectors from compromised vendor or software dependencies to the organization. There is a risk of finding it, “Chris explained.Clements, Vice President of Solution Architecture Cerberus sentinelCybersecurity consulting and penetration testing company in Scottsdale, Arizona.

“Then there is a secondary impact. Ransomware gangs may try to blackmail both organizations by stealing data stored by third-party providers and threatening to publish if the ransom is not paid. there is.”

“The other side of the coin is that ransomware attacks on an organization’s supply chain can cause significant operational disruption if the third party it depends on for a cyber attack cannot serve.” Told TechNewsWorld.

Leader ignorance

These attacks on the software supply chain can have a spillover effect on the physical supply chain. “Ransomware creates significant disruption to already taxed supply chains when systems that control the manufacture and distribution of goods and services go offline,” said security-conscious advocate Erich Kron. .. KnowBe4Florida Clearwater Security Awareness Training Provider.

“This affects the tracking of ordering and inventory of the materials needed to create the item, the tracking of the status of the items needed to fulfill the order, and causes logistic problems in delivering the material to the customer. , Can cause a shortage of customers, “he told TechNewsWorld.

“In the world of just-in-time order fulfillment, delays can spread to the supply chain and affect more and more people in the process,” he added.

Almost one-third (30%) of the IT professionals surveyed revealed that organizational leaders do not fully understand supply chain risks. “The fact that it was only 30% was a bit encouraging,” ISACA board member Rob Clyde told TechNewsWorld. “A few years ago, that number would have been much higher.”

“I think a lot of ignorance is due to simply significantly underestimating the number of dependencies and their importance to the operation of the organization,” Clements said.

“These third-party tools, by their very nature, often require administrator privileges on many, if not all, customers’ devices, which means they violate only one of these vendors. It can also completely compromise the customer’s environment. “

“Similarly, we are often ignorant of how many organizations rely on third-party vendors,” he continued. The platform outage has been prolonged. “

Pessimistic vein

Even when leaders understand the risks to the supply chain, they don’t make security mistakes. “Every time we see a growth choice in a situation where a company has to choose between security and growth,” said Casey Bison, Head of Product and Developer Relations. BluBracketA cyber security services company located in Menlo Park, California.

“It’s a risk to their customers. It’s a risk to the company itself,” he told TechNewsWorld. “But more and more, we are beginning to see executives responsible for those choices.”

ISACA’s research also found that IT professionals are strongly pessimistic about their supply chain security outlook. Only 44% said they had high confidence in the security of their organization’s supply chain, but 53% expect supply chain problems to be the same or worse for the next six months.

Top Supply Chain Risks in ISACA Survey Results

Source: ISACA | Understanding Supply Chain Security Gap | 2022 Global Research Report

One of the more surprising findings of the survey was that 25% of organizations said they had experienced supply chain attacks in the last 12 months. “I didn’t think it was that high,” Clyde said.

“Many organizations have experienced cyberattacks in the last 12 months, but I didn’t think there would be so many cyberattacks due to supply chain issues. If you asked that question a few years ago, it would be. It would have been a very small number, “he added.

Meanwhile, more than eight out of ten (84%) tech experts say that supply chains need better governance than they do today.

“Today, trying to certify a supply chain partner doesn’t work,” continues COO Andrew Hay. LaresDenver Information Security Consulting Company.

“We either generate arbitrary scores based on external scan data and IP-based confidence, or force us to enter more than 100 questions in our spreadsheet,” he told TechNewsWorld. “Neither is an accurate indication of the safety of the organization.”

Audit required

Mike Parkin, Senior Technical Engineer Balkan CyberA SaaS provider for enterprise cyber risk remediation in Tel Aviv, Israel, pointed out that there are multiple factors involved when trying to protect the supply chain.

“Organizations can only get a complete picture of their environment, which means they need to trust that vendors are following best practices,” he told TechNewsWorld. “This means that we need to build a process that includes contingencies in the event of a third-party vendor being compromised, or strictly limits the damage that can occur if it does occur.”

“It gets even more complicated when an organization needs to deal with multiple vendors to make up for shortages and confusion,” he continued. “Even with the right risk management tools, it can be difficult to explain everything.”

Kron added that the supplier must have some trust. However, if you want to strengthen governance not only to trust the survey responses, but also to confirm the opinions of your organization, you need to implement an audit system.

“This inevitably increases costs, which is what many organizations are working hard to keep as low as possible to stay competitive,” he said.

“This may be easy to justify an important government or military system, but it can be a difficult sale for traditional suppliers,” he continued. “In addition to the challenges, implementing governance for foreign suppliers of goods and materials can be difficult or impossible to achieve. This is not an easy challenge to tackle, it has been a long-standing debate. It will continue to be a topic. “ The greatest risk of ransomware to the supply chain in the minds of IT professionals

Back to top button