- ‘잘 설계된 프롬프트라도 이식성 떨어져’···IBM, 프로그래밍하는 ‘생성형 컴퓨팅’이 대안
- Google just gave Gmail a major AI upgrade, and it solves a big problem for me
- Your Google Gemini assistant is getting 8 useful features - here's the update log
- I recommend this budget OnePlus phone over most low-cost devices - especially at $70 off
- Save $750 on the HP Envy Laptop 17 when you buy directly from HP
#InfosecurityEurope2022: Tackling Widespread Data Breaches from Third Parties
Organizations are still neglecting to secure their supply chains, according to panellists at a session during Infosecurity Europe 2022.
Panel chair and security consultant Peter Yapp warned that fewer than 10% of organizations have reviewed their suppliers’ security. “Attacks on the supply chain will only increase,” he said.
Firms face a growing volume of attacks on their software vendors, and managed service providers. Criminal groups are following the lead of nation-state actors in using the supply chain as a route into organizations. “It is a jump off point that gets into multiple customers,” said Yapp.
Stopping attacks via third parties remains difficult. Although automated tools are being developed, organizations still rely on manual processes, pre-contract discovery, contract clauses and questionnaires.
“We need to make sure we have the ability to insert ourselves in the right part of the process,” said Lewis Woodward, director of cyber operations at Maersk. This includes procurement and legal steps.
Ideally, security teams should be alerted when firms buy in services from the cloud; one company even places notification flags placed on its credit cards to warn security teams of purchases. But others still rely on questionnaires.
“They do have their place,” said Praveen Singh, head of global risk and cyber at ICBC Standard Bank. “You need to have defense in depth.” This could include checking that a supplier has specific certifications. But firms are also making more use of third party security rating services, he added.
According to Jeremy Snyder, founder and CEO of FireTail, even basic questionnaires can be useful, if the data reaches the IT security team, rather than being just a check box used by procurement. “Questionnaires are very rarely consumed by security operations,” he warned. “Part of me wants to put in a ‘green M&Ms question’ to see if anyone is actually listening.”
Maersk’s Woodward added that questionnaires need to be tailored to the supplier. “If regardless of the service, you send a 500-line questionnaire, you won’t get the data you need,” he said.
However, organizations should not rely on questionnaires or other point-in-time assessments of supply chain risk. It remains difficult to scan and verify third party services, but security teams can monitor for abnormal behavior, said Woodward.
CISOs could also make better use of automated patching, suggested FireTail’s Snyder. “The rewards from automated patching far outweigh the risk of automated patching disrupting production systems,” he said.
