New Survey Says Organizations Are Tightening Security With Vendors After SolarWinds Hack

New Survey Says Organizations Are Tightening Security With Vendors After SolarWinds Hack

The SolarWinds Orion Supply Chain Hack has led many organizations to review their future relationships with suppliers, even if they have used the network monitoring suite, a new survey suggests.

DomainTools released a survey of 200 security leaders, IT and corporate executives on Tuesday, stating: "Vendor and supply chain relationships are likely to undergo lasting change as new partnerships get higher levels of scrutiny than before."

So far, 47 percent of 200 respondents said they would require vendors to meet their company's security standards, and legally pay attention to that.

Just under 40 percent said their organization would implement greater network segmentation, separating software and equipment from vendors in high-risk areas; Just over 24 percent said they would implement Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) of vendor-provided software before using it in their environment. About 19 percent said it would end vendors' dependence on relations with hostile nations, and only 17 percent said it would reduce their dependence on outside vendors.

More than 27 percent said the attack did not change their company's focus on management providers. About 20 percent of respondents said that the SolarWind event directly affected their organization,

The survey selected 200 global security professionals and executives from a variety of industries in February. More than half described themselves as security researchers or analysts, and the other 6.5 percent said they were threat hunters; 19 percent had the title of IT manager and 14 percent were C-suite or vice president.

SolarWinds believes that some 18,000 Orion users downloaded an infected update that installed the backdoor. Among them, a very small number were actually hacked. It is estimated that in the United States, 100 public and private sector organizations violated security controls.

When asked how the SolarWinds hack affected their organization's existing vendor outsourcing strategy, just over 43 percent of respondents said that no active changes are planned and they trust their current vendors. More than 37 percent said they are asking vendors for more detailed security standards as part of the upgrade.

More than 34 percent said they were reassessing their current vendors with a heavy security burden. About 15 percent said they are actively switching providers due to security currency changes. And just over 11 percent said some in-house outsourced vendors are recalling due to security concerns.

Only eight percent said vendor usage and outsourcing are increasing.

About 21 percent said they were very confident in their visibility into security information or internal processes, and another 50 percent said they were fairly confident.

The United States has said that the attackers who resorted to the SolarWinds Orion update mechanism were "likely" from Russia. In response, the survey asked respondents how much emphasis their organization had against state-sponsored attacks. Only 44 percent said high, about 37 percent said medium, and about 19 percent said low.

Eighty percent said that attention is very or very important in attacks. The agreed-upon fifty-one percent agreement provides context around the types of metrics needed for IT to be compromised, while the agreed-upon 45 percent agreement helps to get more support from management for resources when they are investigate an incident.