Many businesses are woefully unprepared to defend against supply chain cyberattacks, despite a number of successful high-profile incidents and the increase in awareness, new research has found. A poll of 1,000 CIOs by Venafi found 82% of respondents saying they would be vulnerable to cyberattacks targeting software supply chains.
Since the Covid-19 pandemic, and the increasing speed of development (thanks to technologies such as DevOps), securing the supply chain has become an infinitely more complex task, the report has found. The way software engineers behave isn’t helping, either. Almost nine in ten (87%) of CIOs believe software engineers and developers compromise on security policies and controls in order to get new products and services to market faster.
As a result, businesses are more vulnerable, with incidents such as SolarWinds or Kaseya, just giving credence to the claim. The success of earlier supply chain attacks has also further motivated cybercrooks to devote even more time and resources to the practice, it was said.
However it does seem that CEOs are taking notice of such threats, with the report adding 85% of CIOs were specifically instructed by chiefs to “improve the security of software build and distribution environments”. At the same time, 84% said the budget dedicated to the security of software development environments increased in the last 12 months.
“Hackers have discovered that successful supply chain attacks, especially those that target machine identities, are extremely efficient and more profitable,” said Kevin Bocek, vice president of threat intelligence and business development for Venafi.
One of the reasons why supply chain attacks are so successful, Bocek believes, is because developers force innovation and speed, putting security in the back seat. “Unfortunately, security teams rarely have the knowledge or the resources to help developers solve these problems and CIOs are just waking up to these challenges,” he added.
To tackle these challenges, Venafi found, most CIOs (68%) are implementing additional security controls, while 57% are updating their review processes. Just above half (56%) are expanding their use of code signing, while 47% are looking at the provenance of their open-source libraries.