A new Kaspersky study has revealed that more than two-thirds of companies are willing to invest in the security of their contractors and suppliers to guarantee invulnerability to cyberattacks, while a further quarter is already doing that. This shift signals that contractors are now considered by businesses as part of a single, interconnected security ecosystem.
Amid a surge in supply chain attacks, hitting nearly every third company and trusted relationship attacks affecting a quarter of companies globally over the past year[1], organizations reconsider their approaches to internal security, recognizing that their own cyber risk hinges on the security posture of any contractor or partner with access to their infrastructure and systems, and are prepared to act accordingly.
According to the survey, 69% of respondents are considering investing in the security of their contractors to strengthen their own cyber resilience. This readiness is especially high in India (83%), Indonesia (80%), Russia (80%) and Brazil (76%). It is noteworthy that organizations in Indonesia, Brazil and Russia show higher trust in contractors than those in other countries — this is evidenced by a higher than average number of contractors with access to the companies’ systems.
At the same time, 25% of businesses have already begun sharing security costs with their contractors, moving from intention to action. The adoption rate is higher in Hong Kong and Taiwan (33%), Spain (33%), Turkey (31%) and Vietnam (31%).
“Today businesses realize that security cannot end at the boarders of their own organization, it must extend across the entire ecosystem,” comments Sergey Soldatov, Head of Security Operations Center at Kaspersky. “Smaller companies often lack the security capabilities of the enterprises they serve, posing extra risks to the latter. By sharing resources and expertise, larger companies can close this gap, strengthening weak points throughout the entire dependency chain — and become a key driver of global cyber resilience.”
To reduce supply chain risks, Kaspersky recommends that companies strengthen their security through organizational measures, including rigorous and evidence-based evaluation of software providers. By assessing vendors’ security practices, reviewing software development processes and applying structured evaluation frameworks companies can ensure that only secure, resilient products work in their internal infrastructure. A more detailed guide on how to choose the best product is available via the link.
For mitigating supply chain and trusted relationship risks, Kaspersky also recommends the following:
- Collaborate with suppliers on security issues. It’s vital to work closely with suppliers to improve their security measures — such collaboration strengthens mutual trust and makes protection a shared priority.
- Thoroughly evaluate suppliers before entering a deal. It’s crucial to assess the security level of potential suppliers before beginning collaboration. This includes requesting a review of their cybersecurity policies, information about past incidents and compliance with industry security standards.
- For software products and cloud services, it’s recommended to collect data on vulnerabilities, and penetration tests, and sometimes it’s advised to conduct dynamic application security testing (DAST).
- Implement contractual security requirements. Contracts with suppliers should include specific information security requirements, such as regular security audits, compliance with your organization’s relevant security policies, and incident notification protocols.
- Adopt preventive technological measures. The risk of serious damage from supplier compromise is significantly reduced if your organization implements security practices such as the principle of least privilege, zero trust, and mature identity management.
More recommendations along with other findings on supply chain risks are available via the link.
[1] According to the “Supply chain reaction: securing the global digital ecosystem in an age of interdependence” report. For the report, Kaspersky internal market research center commissioned a survey, questioning 1,714 technical experts, ranking from C-level employees and vice-presidents to team leads and senior specialists from enterprises with more than 500 employees. The study covered 16 countries, including Germany, Spain, Italy, Brazil, Mexico, Colombia, Singapore, Vietnam, China, India, Indonesia, Saudi Arabia, Turkey, Egypt, the United Arab Emirates and Russia.
