Large businesses `overlook` supplier cybersecurity risks

Source: Vsoftsystems, 06/06/2018

IT professionals question due diligence process when onboarding new
suppliers
Large businesses in the UK may be overlooking vulnerabilities in their
supply chain when devising their cybersecurity strategies, new
research suggests.
Despite being confident in their own organisations` protections, IT
security professionals are concerned that the due diligence security
audits performed when taking on suppliers are insufficient, with only
35% of those questioned considering these audits to be `very
comprehensive`.
Moreover, almost one in 10 of the 750 respondents told Citrix that
these checks amount to simply asking a few questions during the
initial pitch, with a fifth, 20%, confirming they do not communicate
with suppliers when testing their cybersecurity recovery process.
`Recent cyber-attacks demonstrate that the supply chain can be the
weakest link for a significant number of organisations,` said Citrix`s
chief security architect, Chris Mayers.
`For example, the `NotPetya` campaign began with an extremely
effective supply chain attack, which had disastrous consequences for
Ukraine`s national bank, airport and government department -
proceeding to infect machines in a staggering 64 countries.
`It is therefore vital that businesses conduct the necessary due
diligence when integrating a new provider into their supply chain,`
Mayers added.
Despite sharing concerns around their supply chains, the vast majority
of those questioned were convinced in the maturity of their own
organisations` cybersecurity resilience, with 93% expressing
confidence that their businesses would be able to operate effectively
following an attack.
More than half of respondents felt more confident their organisation
was sufficiently prepared against ransomware, and nearly two-thirds
said the same about phishing, 64%, and 72% about malware, but just 49%
felt the same about a distributed denial of service (DDoS) or
application layer attack.
However, almost half confirmed their businesses had suffered a data
breach in the last three months, with 11% admitting they`d experienced
one in the last week.
`Considering the risk associated with a supply chain attack,
conducting a cybersecurity audit of your supply base should not be a
box-ticking exercise,` Mayers continued.
`Ask yourself this question: has my business ever rejected a supplier
on the basis of audit findings? I suspect this number would be
significantly lower than the amount that are confident in their
supplier due diligence.
`The assessment of cybersecurity procedures should be a vital part of
any contractual agreement and organisations will need to ensure that
they have insurance to cover their supply base. Without these measures
in place, cyber criminals will use suppliers as a stepping stone to
gain access to their ultimate target - your business.`
Channel partners themselves should ensure they can withstand the
scrutiny of tougher security audits from clients, with the risk of
fines under GDPR a particularly strong reason for firms to ensure
their partners` security is in good shape.