The Kaseya supply chain compromise has demonstrated the threats to supply chains that ransomware groups pose. The supply chain compromise of SolarWinds Orion network management due to the SUNBURST malware has also underscored how vulnerable supply chains are to attacks. According to participants in this research, these compromises and the increase in supply chain and IoT attacks require organizations to rethink supply chain and product security processes.
Sponsored by Finite State, Ponemon Institute surveyed 632 IT and IT security practitioners in the U.S. who are familiar with their organizations’ approach to securing embedded and connected devices and have complete or partial responsibility for setting and/or implementing their supply chain security strategies. The research targets device and connected device manufacturers in highly regulated industries.
Larry Ponemon will present findings from the study at a webinar on Wednesday, February 9, 2022, at 2 p.m. ET. Also presenting: Rich Nass,Executive Vice-President, Brand Director, Embedded Franchise, OpenSystems Media. Register for the webinar at this link
Seventy-three percent of respondents say their organizations are very committed (40 percent) or committed (33 percent) to achieving a secure supply chain. Twenty-seven percent of respondents say their organizations are only somewhat committed.
While respondents are aware and very concerned about the threats to their organizations’ supply chain based on recent compromises, only 39 percent of respondents say there is a direct risk assessment of the security of the supplied hardware and/or software, such as penetration testing, vulnerability scanning, requests for Software Bills of Materials and requests for security reports. Further, only 43 percent of respondents say their organizations conduct a risk assessment of the security development lifecycle for third-party vendors.
The following findings reveal why organizations are not making supply chain security as important as it should be.
- Product security is not a priority. Only 41 percent of respondents say their organizations make it a priority despite the finding that 76 percent of respondents say the security of an IoT device is very important
- Executives and boards of directors are not involved as they should be in their organizations’ product security practices. Only 27 percent of respondents say the leadership requires assurances that product security is being assessed, managed and monitored appropriately.
- Product security processes and programs are not reviewed frequently. Only 24 percent of respondents say such a review occurs frequently to address evolving supply chain risks.
- Lack of resources and in-house expertise are obstacles to achieving a strong security posture. When asked what is preventing the development of secure IoT/embedded products, 62 percent of respondents say it is a lack of resources and 60 percent of respondents say it is a lack of in-house expertise.
- Organizations need more resources to improve product security. Fifty percent of respondents say their organizations are not increasing investments for product security. As mentioned above, the number one obstacle to improved product security is the lack of resources.
- Organizations find it difficult to manage supply chain risks. Sixty percent of respondents say their organizations find it difficult to rapidly respond to new vulnerability disclosures that may affect their devices.