As a security professional, you understand the complexity of defending your organization (or client’s organization) against any number of existing and potential threats. The exercise becomes Malthusian, however, when you’re forced to account for the security practices of every vendor in your organization’s supply chain. While basic strategies like regular anti-malware scans and limiting network access remain effective for protecting your company’s data and infrastructure, a new report from security industry organization (ISC)2 highlights the need to take additional measures to address potential threats lurking in the supply chain.
For the report, Securing the Partner Ecosystem, (ISC)2 researchers surveyed 700 security professionals who work at small and large companies. Of the respondents, 64% said that their organizations outsource more than 25% of their daily tasks to vendors that require access to their data. The outsourced operations include everything from accounting and customer service to IT services and research and development. The respondents recognize that these are sensitive operations, and as such, 95% have a process in place to vet the cybersecurity defenses of their vendors, and 96% have contractual provisions dictating how potential vendors access and handle their data.
Risk in the Supply Chain
The report breaks out how security professionals view cybersecurity risks in their supply chains by whether they work for a large or small business.
Larger organizations were overall more confident about their defense posture than their smaller counterparts. A mere 17% of respondents from large companies noted that their organization suffered a breach due to working with a larger vendor, while only 14% reported a breach due to their use of a smaller vendor.
The numbers shake out a bit differently for security professionals working at smaller operations, with 40% of respondents stating that their organization had experienced a supply chain breach. Some of the small business respondents said that their organization was in part responsible for a supply chain breach; 33% admitted that someone at their company had mishandled a client’s credentials, and 41% had to notify a client to reset their credentials due to a breach on their end.
Protecting Against Supply Chain Threats
What measures should security professionals at both large and small organizations take to protect themselves and their vendors against supply chain threats? The report provided some best practices for businesses of all sizes.
The top 5 recommendations for enterprise-level organizations are:
- Run automatic anti-malware and antivirus scans regularly;
- Configure your firewall to block known malicious IP addresses;
- Protect against phishing using filtering (and training);
- Examine and document security incidents in a timely fashion; and
- Set acceptable threat levels and encrypt sensitive data.
Their list was similar for smaller organizations, with one change:
- Scan both incoming and outgoing email for potential threats and remove any executable files.
Two other recommendations made by the report focused directly on large organizations. First, sometimes a vendor will report vulnerabilities that they spot to their client. When asked how larger organizations responded to their notifications, 35% of security professionals at enterprises and 29% at small businesses said that the vulnerable organization took no action. Additionally, 55% of respondents from small businesses said that access to a client’s network or data was never terminated following the completion of a project or the end of their contract. Both of these present huge risks to organizations that rely on supply chain relationships to keep their businesses operational.