Organizations are now more focused on supply chain, third-party cyber risk

third-party cyber risk

Data released by a cybersecurity firm revealed that companies are more focused on supply chain and third-party cyber risk and more aware of their vendor ecosystems when compared to last year. Last year, 31 percent of companies said that supply chain and third-party cyber risk was not on their radar. That figure has dropped to about 13 percent this year disclosing a higher concern among organizations about third-party cyber risk.

BlueVoyant released the findings of its second annual global survey into third-party cyber risk management that showed priorities have shifted in response to a rapidly evolving cyber threat landscape. “​​The number of companies reporting a supply chain of more than 1,000 companies more than doubled from 14% in 2020 to 31% in 2021. At the same time, the number of companies reporting 500 vendors or fewer dropped from 29% to 22%. It is possible that supply chains exploded, but it is more likely that companies became more aware of the full extent of their vendor networks, “ the report said.

The study was conducted by an independent research organization, Opinion Matters, and recorded the views and experiences of 1,200 CIOs, CISOs, and chief procurement officers (CPOs) in organizations with more than 1,000 employees across industries, including business services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy, and defense. It covered six countries including the U.S., Canada, Germany, the Netherlands, the U.K., and Singapore.

The BlueVoyant report also disclosed that 38 percent of respondents said that they had no way of knowing when or if an issue arises with a third party, while 41 percent said that if they did discover an issue in their third-party ecosystem they informed their supplier, but were unable to easily verify if the issue had been resolved.

The frequency of assessing third-party risk and briefing senior management dropped from the 2020 survey to the 2021 survey. More companies in 2021 assessed their vendors less frequently, BlueVoyant reported. Forty-seven percent audited or reported on vendor security no more than twice per year, compared to 32 percent in 2020, while the number of vendors practicing continuous monitoring also dropped, from 0.9 percent to 0.5 percent.

“Even though we are seeing rising awareness around the issue, breaches and the resulting negative impact are still staggeringly high, while the prevalence of continuous monitoring remains concerningly low,” Adam Bixler, global head of third-party cyber risk management at BlueVoyant, said in a media statement. Third-party cyber risk can only become a strategic priority through clear and frequent briefings to the senior executive team and the board.”

This year, many of the most damaging third-party cyberattacks occurred immediately after discovering new critical vulnerabilities, the report said. For example, the cyberattacks in January that exploited weaknesses in Microsoft Exchange began within days of the exploits being discovered. Without continuous monitoring and rapid remediation, cyber-attacks similar to this can leave organizations vulnerable to significant threats for an extended period.

Third-party cyber risk management needs to be, and can become, a strategic priority for the business by ensuring communications around third-party cyber risk management are consistently communicated to senior management and the board, it added.

In the past year, persistent logistics and supply chain disruptions put manufacturing in the spotlight, as the supply of critical goods was delayed or halted. Further, nation-state attackers began to notice and focus attention on critical manufacturing subsectors, such as semiconductors, BlueVoyant said. This increased attacker focus on manufacturing is mirrored by increased regulatory pressure, as new legislation on IoT device manufacture and use will force higher costs on manufacturing centers and services.

Manufacturing had the lowest percentage of responses identifying supply chain and third-party cyber risk as a key priority at 29 percent, compared to 42 percent across all industries, according to the report. Manufacturing has the highest percentage of respondents who are reporting annually at 25 percent compared with 18 percent overall, and the lowest percentage reporting on third-party cyber risk monthly at 14 percent, compared to 20 percent overall.

The utilities and energy sector faced increasing pressure, and increasing scrutiny, from regulators as cyberattacks have shut down pipelines and disrupted power grids that are critical to the day-to-day needs of the populations impacted, the report said. Cyberattacks have shifted focus to these historically less targeted organizations because ransomware and other attack vectors against this sector create an acute need for resolution, which may involve receiving payment to recover critical infrastructure.

The BlueVoyant report showed that respondents from the utilities sector were most likely to say they monitor all suppliers, with 31 percent claiming to achieve this, compared with 22 percent overall. CPOs are more likely to bear responsibility for third-party cyber risk in the utilities and energy sector, with 40 percent compared to an overall figure of 19 percent.

The healthcare and pharmaceutical industries had a difficult year. For years, cyberattacks on healthcare organizations have been skyrocketing, as cybercriminals increasingly target hospitals and healthcare systems to steal data or to extract ransom payments, the BlueVoyant report revealed. Data breaches have become commonplace, as large, integrated healthcare systems find themselves targeted for the huge quantities of sensitive patient data they handle. The proliferation of digital healthcare tools has made healthcare easier to access, but also created a wide, exposed attack surface for opportunistic cyber actors.

When cyber-attackers are targeting the supply chain, large corporations remain the end goal. By using the smaller suppliers as entry points and exploiting the weaknesses in their defence, however, it becomes easier for attackers to gain access to those large companies, analyst firm Deloitte said in a recent survey. The data from the survey is supported by the findings of the qualitative interviews, underlining the fact that suppliers and new technology seem to be a weakness in terms of the respondents’ cyber resiliency.

While, 70 percent of the respondents state that they have not suffered a major cyber-attack during the last year, almost half of the respondents believe that they are resilient against cyber threats throughout the supply chain to a high degree. “It is unclear what this assessment is based on, but it could indicate that some of the surveyed consumer businesses are operating under a false sense of confidence when it comes to their own cyber defence,” Deloitte added.

BlueVoyant recommended that since supply chain ecosystems are large, multilayered, and complex, it is critical to fully understand third-party vendors beyond the first tier, or most critical suppliers. Continuous monitoring and quick action against newly discovered critical vulnerabilities need to become the ‘sine qua non’ of effective third-party cyber risk management.

Another confusing detail revealed by the BlueVoyant study was that ​​​​respondents globally provided mixed answers on the issue of third-party cyber risk ownership, with the onus lying between CIOs, CISOs, CFOs, and even the CPOs. Until third-party cyber risk is a clearly defined mandate at the executive level, it is difficult to effectively coordinate resources and define clear strategies, the firm added.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related