BlueVoyant released the findings of its second annual global survey into third-party cyber risk management. The study reveals that 97% of firms surveyed have been negatively impacted by a cybersecurity breach that occurred in their supply chain.
93% admitted that they have suffered a direct cybersecurity breach because of weaknesses in their supply chain and the average number of breaches experienced in the last 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-over-year increase.
The study was conducted by Opinion Matters and recorded the views and experiences of 1200 CIOs, CISOs and Chief Procurement Officers in organizations with more than 1000 employees across a range of industries including: business services, financial services, healthcare & pharmaceutical, manufacturing, utilities and energy, and defense. It covered six countries: USA, Canada, Germany, The Netherlands, the United Kingdom, and Singapore.
Companies still not prioritizing their vulnerable supply chains
- Only 13% of companies said that third-party cyber risk was NOT a priority, a drop compared to last year when 22% of companies said that supply chain and third-party cyber risk was not on their radar.
- The frequency with which companies assess their vendors has fallen year-on-year: 47% audited or reported on vendor security no more than twice per year, compared to 32% in 2020.
- 38% of respondents said that they had no way of knowing when or if an issue arises with a third-party supplier’s cybersecurity, compared to 29% last year.
- 91% say that budget for third party cyber risk management is increasing in 2021, compared to 81% who said this in 2020.
Commenting on the research findings Adam Bixler, Global Head of Third-Party Cyber Risk Management, BlueVoyant, said: “Even though we are seeing rising awareness around the issue, breaches and the resulting negative impact are still staggeringly high, while the prevalence of continuous monitoring remains concerningly low. Third-party cyber risk can only become a strategic priority through clear and frequent briefings to the senior executive team and the Board.
“So long as it remains a line item only discussed once or twice a year – or less often – then cyber risk management will continue to languish from a strategic perspective until an inevitable cyber event leaks data, disrupts operations, or embarrasses the firm.”
While budgets rise, firms are still experiencing multiple pain points
Reports of the scale of budget increases almost exactly matched figures from last year. 29% of companies reported budget increases from 26-50%; 42% reported increases of 51-100%, and 17% reported increases of 100% or more. Overall, 91% are planning budget increases.
However, the degree to which these rising investments are coordinated is unclear. Surveyed companies report an almost equal distribution of pain points: managing false positives, managing the volume of data, prioritizing risk, knowing their own risk position, among others. The fact that companies are reporting so many issues suggests that larger budgets are not yet resulting in sufficient risk reduction.
Adam Bixler continues: “Budget increases demonstrate that firms are recognising the need to invest in cybersecurity and vendor risk management. However, the wide yet consistent array of pain points suggests that this investment is not as effective as it could be. This, tied to the lack of visibility, monitoring and senior-level reporting, underscores a lack of strategy when approaching third-party cyber risk which unfortunately is only going to lead to more breaches.”
Variations across industry sectors
Analysis of the responses from different commercial sectors revealed considerable variations in their experiences of third-party cyber risk:
- The business services sector had the highest headcount in its cybersecurity or risk teams and correspondingly were most likely to be monitoring third-party risk daily.
- The healthcare sector exhibited the highest rate of third-party cyber risk awareness and 55% said identifying risk was a key priority, compared to an average of 42%. However, this sector also reported high breach figures, with 29% reporting 6-10 breaches in the last 12 months, compared to an average of 19%.
- Manufacturing respondents were least likely to identify supply chain/third-party cybersecurity risk as a key priority and were most likely to be reporting on an annual basis only.
Adam Bixler comments: “Our research shows that there are large concentrations of unknown third-party cyber risk across vertical sectors, supply chains and vendors worldwide and organizations are experiencing frequent vendor-originated breaches. While budgets are rising, the critical question is where funds should be directed to make a tangible impact to reduce third-party cyber risk. A lack of visibility, strategy and monitoring means the situation is unlikely to improve until it gets the appropriate attention.”
Jim Rosenthal, CEO at BlueVoyant, concludes: “Auditing or assessing your supply chain every few weeks or months is not sufficient to stay ahead of agile, persistent attackers. Continuous monitoring and quick action against newly discovered critical vulnerabilities needs to become the essential condition for effective third-party risk management.”