As digital initiatives have advanced at a breakneck pace over the past several years, organizations have come to rely more heavily on external software and service providers. While this has been a necessity and has driven major operational gains for most companies, it has also created anxiety around software supply chain risk. One of our recent NISC surveys found that confidence in the supply chain ecosystem is waning, with many security decision makers saying they feel exposed through software or service providers and three-quarters of respondents calling supply chain risk a “top priority.”
Given the increasingly interconnected nature of modern business, any company in any industry can fall victim to a supply chain attack — which is why this area is one key security threat I’ll be watching in 2023 (see part 1 here).
As SolarWinds, Kaseya and others have demonstrated, a company’s external partners are now a part of their attack surface. Organizations must be able to trust that what their partners provide will not only operate to specifications but also will not create new security vulnerabilities in their environment. It is critical for companies to vet suppliers and partners appropriately and hold them contractually accountable for maintaining security standards that are at least as stringent as their own.
In 2023, organizations will need to continue to increase the rigor of their vetting processes for potential new partners — and even existing partners, before re-signing them — with steps ranging from requiring a more thorough understanding of their reputation in the market to auditing what practices they carry out with their own supply chain. Security requirements should more broadly become part of partners’ contractual obligations to one another, along with audit rights to inspect controls periodically.
Even with the right terms in the contract, enterprises can’t count on their partners to catch everything. Ultimately, organizations still have their own responsibility to vet the solutions they use. Best current practice dictates that every business should actively perform vulnerability scanning on all systems and subsystems to the best of their ability, test incident response processes, and, when possible, engage third-party penetration companies to verify their defenses.
In this environment of increasing supply chain attacks, a strong commitment to security — by both parties to every contract — will be needed to minimize risk.