Insecure Supply Chains Holding The World Together

2%. That’s the percentage of members of ClubCISO, an organization made up of Chief Information Security Officers from around the world, who believe the supply chain that keeps their company alive currently has optimal security, according to the latest ClubCISO Information Security Maturity report.

Just 2%. If you translated that into Doomsday Clock terms, you’d be way past 11PM in terms of time left to stave off a supply chain catastrophe.

For years now, the cybersecurity threat landscape has largely been based in individual companies, with hacking, scamming, and phishing used to target mature organizations down towards the full product or service end of the supply chain.

But in the last year, there’s been a shift in the thinking of both companies, insurers, and cybercriminals, targeting the relatively vulnerable supply chains that feed the traditional victim companies and keep them producing, precisely because it’s a vulnerable supply chain, and because targeting earlier, less protected links in the chain is as effective a way of holding companies with a relatively mature security footprint to ransom as any other – but involving significantly less time and effort.

The Upside of a Pandemic?

If anything beneficial can be said to have come from this shift in attack priorities, it’s that it has forced companies that were previously myopic on cybersecurity and focused only on building their own asset-specific fortress, into thinking about the problem more holistically, and – dare we say it – even socialistically, as they recognize that there’s some hard business truth in the maxim that the health of the one depends on the health of the many.

Indeed, for the majority of companies who completed the surveys that fed into the report, the impact of the pandemic on their companies’ approach to cybersecurity was broadly positive.

The recent Mobile Security Index report for 2022 showed a 22% increase in cyber-attacks in 2021 over the previous year, and largely attributed the almost 100% jump in the number of attacks to the combination of remote work becoming a post-pandemic model, and the increased freedom to move about to areas where cybersecurity could be more easily compromised in the loosening of lockdowns.

But the ClubCISO report says that the pandemic largely boosted the influence of CISOs in their company, as managers everywhere suddenly had to take cybersecurity with the seriousness it has always deserved. A full 46% of CISOs who responded to the surveys said they had increased their influence within their organizations since Covid initially hit, and 75% of those asked said there had been positive or no material change in their companies’ attitude to security as a result of the increase in remote working.

67% of CISOs reported that their companies have actually increased their information security spend on the previous year, and an impressive 91% of CISOs have accelerated their cybersecurity tactics over the same period.

The Downside

Where the news takes a turn for the sinister is in the statistic that 30% of companies represented by ClubCISO members either didn’t want, or more importantly, could not get cyber-insurance. That’s a situation that’s only likely to get worse in 2023 as the insurance market, and international regulators, respond the to bumper year for cybercriminals and the oncoming recession. On the other hand, the statistic can also be read as meaning that a full 70% of companies with a CISO on board did want and could get cyber-insurance – at least for now. The question of cyber-insurance also led ClubCISO to speculate on the real-word dollar value of carrying insurance as opposed to plowing funds into ensuring the insurance is never needed.

Even in the devastating doom-headline figure that only 2% of ClubCISO members rated their companies’ process for dealing with supply chain cyber-attack as optimum, there’s room to take a business-calming breath. The next two gradations of preparedness for these attacks – managed and defined – clocked up a much more reassuring 62% between them, 25% and 37% for each category respectively.

That said, Stephen Khan, Chairman of ClubCISO, took the opportunity of the report’s publication to underline the danger in which supply chains stand.

“The pandemic shone a spotlight on the huge number of blind spots in our supply chains. So while we’re actively doing more to improve third-party security, supply chain risk in general still remains immature,” he wrote.

More encouragingly, there’s evidence that new practices and policies are having a massive positive impact in generating a security culture in companies. When asked which policies had made the most effective impact on that positive culture generation in the last twelve months, two approaches that hadn’t been included on the previous year’s survey – simulated phishing and leadership endorsement of security culture – were voted by far the most productive practices to adopt, with leadership endorsement scoring 63%, and simulated phishing, 57%.

Clearly, there’s still a lot of work to do in companies to protect their supply chain, both for their own sake and the sake of the business ecosystem in which they operate. How secure the supply chains remain or become over the course of the next 12 months will depend on whether practices that work for individual companies can be spread throughout the supply chain, and whether companies are willing to spend the hard cash to do so as many parts of the world head into at least some sort of recession.