Supply chain risk is a top security priority as confidence in partners wanes

As cyber attackers increasingly look to capitalize on accelerating digitalization that has seen many enterprises significantly increase their reliance on cloud-based solutions and services as well as third-party service providers, software supply chain risk has become a major concern of organizations.

Seventy-nine percent of security professionals responding to a recent survey conducted by the Neustar International Security Council (NISC) indicated that their organization’s reliance on cloud-based solutions has increased from pre-pandemic levels, with 48% saying their reliance has “greatly increased.” Similarly, 78% said their reliance on cloud-based services has increased (40% greatly), and 66% reported that their reliance on third-party services providers has increased (27% greatly). As a result, 76% of respondents said they now view supply chain risk as a top security priority.

Reasons cited for this growing reliance include the increased pace of digitalization within their organization (69% of those confirming increased reliance), the need to scale rapidly due to rising demand for the organization’s products and/or services (49%), and the inability to find in-house talent as readily as previously (39%).

Security professionals continue to express concern about increased risk due to closer integration with third-party partners. 73% of survey respondents believe they or their customers are exposed to some degree of security risk as a result of this integration (24% “very significantly”), and 77% say they have increased the rigor of their due diligence process for external partners as a result of the Log4j vulnerability and recent attacks against service providers such as SolarWinds and Kaseya.

When asked how they feel Log4j has been handled, security decision makers lacked confidence in the response, both internally and externally. Just 37% of respondents believe their own organization has completely addressed vulnerability issues connected to Log4j, and 43% admitted they were unsure whether trusted third-party partners had done so while 24% said “no.”

While 72% are confident in the contingency plans they have in place should a critical service provider experience an attack that disrupts services and puts their organization at risk, 24% do not feel confident about their organization’s response and 4% do not know how their organization would respond.

“Cybersecurity due diligence is becoming an increasingly critical component of the vendor and partner vetting process, as attacks can lead to repair costs and business disruption for organizations that are several steps downstream from the original target,” said Carlos Morales, SVP of solutions at Neustar Security Services.

“Enterprises are recognizing that they need to not only optimize their own security measures by adopting a proactive security-by-design strategy — which includes an ‘always on’ approach to cybersecurity — but to invest more in supply chain auditing as well. While digitization brings undeniable business benefits, it’s worth remembering that any organization is only as secure as the least secure partner in its supply chain.”

In line with previous survey reporting periods, the potential for DDoS attacks remained security professionals’ greatest concern during the reporting period of May and June 2022 and was ranked the highest threat by 22% of respondents. System compromise and ransomware followed at 19% and 18%, respectively.

Ransomware, DDoS attacks and targeted hacking were the threats most likely to be perceived by respondents as increasing during the reporting period, and vendor or customer impersonation, targeted hacking, and DDoS attacks were the threat vectors that respondents indicated their organizations were most focused on addressing.

Of the enterprises surveyed in July, 85% reported having been on the receiving end of a DDoS attack at some point. 57% reported outsourcing their DDoS mitigation, and 62% said initiation of mitigation typically took between 60 seconds and 5 minutes, in line with previous responses.