Around 70% of global organizations could be at risk from supply chain attacks because they don’t have enough visibility into their partners’ security posture, according to a new Accenture Tech Vision research report.
The company polled over 6600 IT and business executives in 27 countries worldwide and it revealed that just 29% of global companies claim to know enough about their suppliers’ approach to cybersecurity. Even worse, over half (56%) claimed to rely on trust alone to satisfy any question marks over cyber-risk.
Even though the United States boasted among the largest number of companies with supply chain insight (35%), that still leaves a sizable number of organizations that are woefully unprepared to defend against major breaches like US retailer Target and the US Office of Personnel Management (OPM).
Many organizations continue to unknowingly expose themselves to third-party “island hopping attacks“. The attack, in which a partner is compromised and access to your network is granted through previously established access rules, exploits the trust your organization has with its partners.
The report also warned that supply chain attacks like this could account for around a quarter of the total value at risk from cybercrime over the next five years.
We at Lares® strongly advise our clients to take a multi-faceted approach to securing their supply chain partnerships:
- Ensure your organization has an effective and measurable information security program that includes, among other things, a detailed incident response plan in the face of a supply chain incident.
- Review your existing, or implement new, policies regarding the evaluation of partner security. This includes requirements for doing business with your organization such as a defined security program and associated documentation, required minimum security controls, and certification and attestation letters from independent auditors.
- Conduct a full, manual exploitation exercise mirroring a real-world supply chain attack against your organization. Lares has created a unique service to replicate the connection and integration into your organization’s supply chain, in order to identify vulnerabilities in its exposure.
Contact Lares today to learn how our supply chain testing capabilities and security advisory services can help your organization identify exposures and threats before a loss can occur.
Andrew Hay is the COO at Lares and is a veteran cybersecurity executive, strategist, industry analyst, data scientist, threat and vulnerability researcher, and international public speaker with close to 25 years of cybersecurity experience across multiple domains. He prides himself on his ability to execute the security strategy of the company with which he works without neglecting business objectives and the needs of its customers. Andrew is the author of multiple books on advanced security topics and is frequently approached to provide expert commentary on industry developments. He has been featured in publications such as Forbes, Bloomberg, Wired, USA Today, and CSO Magazine.