In a poll of 2,100 C-Level executives in large organizations, responsible for supply chain and cyber risk management, security firm BlueVoyant is reporting that 98% of the organizations suffered a supply chain breach, up from 97% last year. Industries surveyed included: business services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy, and defense.
“The survey shows that supply chain cybersecurity risk has not decreased and, in fact, more enterprises than ever have reported being negatively impacted by a cybersecurity disturbance in their supply chain,” said Adam Bixler, BlueVoyant’s global head of supply chain defense.
Key findings:
- 40% of respondents rely on the third-party vendor or supplier to ensure adequate security.
- In 2021, 53% of companies said they audited or reported on supplier security more than twice per year; that number has improved to 67% in 2022. These numbers include enterprises monitoring in real time.
- Budgets from supply chain defense are increasing, with 84% of respondents saying their budget has increased in the past 12 months.
- The top pain points reported are internal understanding across the enterprise that suppliers are part of their cybersecurity posture, meeting regulatory requirements, and working with suppliers to improve their security.
Trusted suppliers’ is becoming an oxymoron. The industry is having to adapt and is maturing in the process. Attackers have known for centuries that the best way into an adversary is through a trusted channel. Also, the return for “poisoning a well” that many drink from can be very effective for the attacker and costly for the victims.
This can happen several different ways. It could be by committing code to open source repositories that are then downloaded directly or used within other software. Or taking advantage of vulnerabilities that already exist in deployed software throughout an environment. That is why it is important to understand not only where software comes from, but where it is within an organization.
It requires knowing what components are used within each application, and on which server it is running, installed, or stored. Knowing where everything is and how it is used is required when vulnerabilities are found (such as OpenSSL, Log4J, Struts, Springs, and many others) so they can be remediated or mitigated. Like food that has a list of ingredients, it is necessary for applications to have a software bill of materials, or SBOM to detail what’s inside.
Beyond applications, all suppliers should be considered as part of the attack surface. This can be hardware (do you know where the devices came from or the chips that are in them?). It also expands to vendors and service providers.