Supply chain attacks on global organizations increased by 51% between July and December 2021, with third-party risk emerging as a key priority, according to new research from the NCC Group.
The UK-based information assurance firm polled 1400 security decision-makers at organizations with over 500 employees in 11 countries to better understand supply chain risk.
With attacks on the rise, just a third (32%) of responding organizations said they were “very confident” that they could respond “quickly and effectively” to a supply chain breach.
The research appeared to reveal some confusion over which party is responsible for preventing, detecting and mitigating supply chain risk. A third (36%) of respondents said their organization was more responsible than their suppliers, while half (53%) said responsibility was equally split.
NCC Group warned that organizations would increasingly be held responsible by regulators for supply chain risk. It cited the EU’s Digital Operational Resilience Act (DORA) which apparently mandates that financial firms include key security requirements in contracts with third-parties.
The GDPR also demands more transparency and accountability from every supplier in the chain, with both customer and supplier potentially held responsible in the event of a breach.
Half (49%) of the organizations polled by NCC Group said they did not stipulate security standards that their suppliers must adhere to as part of their contracts. A third (34%) claimed they don’t regularly monitor or risk assess supplier cybersecurity arrangements.
“Many organizations work closely with their suppliers by integrating them into their infrastructures to increase efficiencies and strengthen operations, but this can increase their cyber risk by widening their potential attack surfaces. Security gaps in supply chains can lead to leakage of customer data and serve as entry points for ransomware attacks,” warned NCC Group director of remediation Arina Palchik.
“Our findings uncovered specific areas for improvement including clarity around responsibility for preventing, detecting and resolving attacks and lax controls for supplier assurance.”
Supplier risk is now recognized as a top challenge for the next six to 12 months, according to the survey.