The latest research conducted by NISC finds growing concerns among cyber security leaders over supply chain risk and an erosion of trust in the security practices of their software and service provider partners – even as they rely more heavily on them.
79 percent of security professionals responding to a recent survey conducted by the Neustar International Security Council (NISC) indicated that their organization’s reliance on cloud-based solutions has increased from pre-pandemic levels, with 48 percent saying their reliance has ‘greatly increased’.
Similarly, 78 percent said their reliance on cloud-based services has increased (40 percent greatly), and 66 percent reported that their reliance on third-party services providers has increased (27 percent greatly).
As a result, 76 percent of respondents said they now view supply chain risk as a top security priority.
Reasons cited for this growing reliance include the increased pace of digitalisation within their organization (69 percent of those confirming increased reliance), the need to scale rapidly due to rising demand for the organization’s products and/or services (49 percent), and the inability to find in-house talent as readily as previously (39 percent).
Security professionals continue to express concern about increased risk due to closer integration with third-party partners. Nearly three-quarters (73 percent) of survey respondents believe they or their customers are exposed to some degree of security risk as a result of this integration (24 percent ‘very significantly’), and 77 percent say they have increased the rigor of their due diligence process for external partners as a result of the Log4j vulnerability and recent attacks against service providers such as SolarWinds and Kaseya.
When asked how they feel Log4j has been handled, security decision makers lacked confidence in the response, both internally and externally. Just 37 percent of respondents believe their own organization has completely addressed vulnerability issues connected to Log4j, and 43 percent admitted they were unsure whether trusted third-party partners had done so while one in four (24 percent) said ‘no’.
While 72 percent are confident in the contingency plans they have in place should a critical service provider experience an attack that disrupts services and puts their organization at risk, 24 percent do not feel confident about their organization’s response and 4 percent do not know how their organization would respond.
“Cyber security due diligence is becoming an increasingly critical component of the vendor and partner vetting process, as attacks can lead to repair costs and business disruption for organizations that are several steps downstream from the original target,” said Carlos Morales, senior vice president of solutions at Neustar Security Services. “Enterprises are recognising that they need to not only optimise their own security measures by adopting a proactive security-by-design strategy — which includes an ‘always on’ approach to cyber security — but to invest more in supply chain auditing as well. While digitisation brings undeniable business benefits, it’s worth remembering that any organization is only as secure as the least secure partner in its supply chain.”