Organizations are still neglecting to secure their supply chains, according to panellists at a session during Infosecurity Europe 2022.
Panel chair and security consultant Peter Yapp warned that fewer than 10% of organizations have reviewed their suppliers’ security. “Attacks on the supply chain will only increase,” he said.
Firms face a growing volume of attacks on their software vendors, and managed service providers. Criminal groups are following the lead of nation-state actors in using the supply chain as a route into organizations. “It is a jump off point that gets into multiple customers,” said Yapp.
Stopping attacks via third parties remains difficult. Although automated tools are being developed, organizations still rely on manual processes, pre-contract discovery, contract clauses and questionnaires.
“We need to make sure we have the ability to insert ourselves in the right part of the process,” said Lewis Woodward, director of cyber operations at Maersk. This includes procurement and legal steps.
Ideally, security teams should be alerted when firms buy in services from the cloud; one company even places notification flags placed on its credit cards to warn security teams of purchases. But others still rely on questionnaires.
“They do have their place,” said Praveen Singh, head of global risk and cyber at ICBC Standard Bank. “You need to have defense in depth.” This could include checking that a supplier has specific certifications. But firms are also making more use of third party security rating services, he added.
According to Jeremy Snyder, founder and CEO of FireTail, even basic questionnaires can be useful, if the data reaches the IT security team, rather than being just a check box used by procurement. “Questionnaires are very rarely consumed by security operations,” he warned. “Part of me wants to put in a ‘green M&Ms question’ to see if anyone is actually listening.”
Maersk’s Woodward added that questionnaires need to be tailored to the supplier. “If regardless of the service, you send a 500-line questionnaire, you won’t get the data you need,” he said.
However, organizations should not rely on questionnaires or other point-in-time assessments of supply chain risk. It remains difficult to scan and verify third party services, but security teams can monitor for abnormal behavior, said Woodward.
CISOs could also make better use of automated patching, suggested FireTail’s Snyder. “The rewards from automated patching far outweigh the risk of automated patching disrupting production systems,” he said.