New research suggests that cyber-attacks on supply chains increased by 51% in the last six months of 2021. Organisations have an opportunity to reduce their third-party risk by clarifying whether they or their suppliers are responsible for supply chain risk management, according to new global research of 1400 cyber security decision makers by NCC Group. Around one in three (36%) said that they are more responsible for preventing, detecting and resolving supply chain attacks than their suppliers. Just over half (53%) said that their company and its suppliers are equally responsible for the security of supply chains.
Software supply chains are complex entities often comprising hundreds of “suppliers” per application. Each supplier, or dependency as it’s also known, represents a vector for software to enter an organisation. Often software is subject to a vendor risk management review prior to procurement, but for some software, such as open-source software or SDKs, there is no explicit vendor against which to perform a risk assessment. That’s partly due to the decision-making related to supplier selection in an open source context being made by developers who are measured more by their ability to quickly implement features rather than their skills in risk mitigation or compliance reviews.
Given the complexity of software supply chains, and the growing attention to them within business, it’s reasonable to expect cyber criminals to attempt to disrupt business operations by targeting the supply chains powering the business. Addressing the risks present in software supply chains starts by recognising that a traditional vendor-centric view of supplier validation is insufficient to accurately describe the risks requiring mitigation. Instead, mitigation strategies must be tailored to each of the potential methods for software to enter a business where process threats are identified well in advance of any requirement to mitigate vulnerabilities or address a cyber-incident.