Most Firms Rely on Trust Alone for Supply Chain Security

Around 70% of global organizations could be at risk from supply chain attacks because they don’t have enough visibility into their partners’ security posture, according to new Accenture research.

The consulting giant polled over 6600 IT and business executives in 27 countries worldwide to compile its findings as part of the Tech Vision report.

It revealed that just 29% of global companies know enough about their suppliers’ approach to cybersecurity. Even worse, over half (56%) claimed to rely on trust alone to satisfy any question marks over cyber-risk.

The UK was aligned with the global average, with just 29% of business and IT execs having insight into partner security processes, although the figure dropped to less than half that in China (11%) and Japan (14%).

The US (35%) and Germany (30%) boasted among the largest number of companies with supply chain insight. However, at still only around a third, many organizations would seem to be exposed to third-party attacks such as “island hopping,” which led to major breaches at the likes of US retailer Target and the US Office of Personnel Management (OPM).

Chinese state-sponsored hackers were behind another major supply chain attack in recent years: Cloud Hopper targeted firms through their managed service providers (MSPs) in what has been described by British investigators as “one of the largest ever sustained global cyber-espionage campaigns.”

Accenture warned that supply chain attacks like this could account for around a quarter of the total value at risk from cybercrime over the next five years.

“Business perimeters used to be like a castle, where security teams could create thick walls to guard against attacks. But the days of doing business in this medieval way are well and truly over” said Nick Taylor, cybersecurity lead for Accenture UK. “Now, business structures resemble something more like the London Underground, with thousands of entry points. Threat actors are preying on the weaker links. Smaller businesses, in particular, are seen as a means of infiltrating larger organizations.”

He urged organizations to collaborate more with other firms and reach out to governments to help manage these risks better.

CISOs should be included in new business discussions from the start, threat modelling must be improved by anticipating where hackers may strike, and processes should be designed to continuously assess risk as suppliers are on- and offboarded, Accenture argued.

What’s Hot on Infosecurity Magazine?