Some 93% of global organizations have suffered a direct breach due to weaknesses in their supply chains over the past year, according to BlueVoyant.
The cybersecurity services company polled 1200 IT and procurement leaders responsible for supply chain and cyber-risk management from global companies with 1,000+ employees to compile its report: Managing Cyber Risk Across the Extended Vendor Ecosystem.
It revealed the average number of breaches experienced in the past 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-on-year increase.
Although the percentage of companies that don’t consider third-party risk a priority has fallen from 31% last year to 13% in 2021, the number who admit they have no way of knowing if an incident has occurred in their supply chain rose from 31% to 38%.
In addition, while 91% of respondents said budgets were increasing this year to help tackle the risk, investments don’t seem to be making an impact.
Typical pain points highlighted by the report include:
- Managing false positives and large data volumes.
- Prioritizing risk.
- Understanding the company’s own risk position.
“Budget increases demonstrate that firms are recognizing the need to invest in cybersecurity and vendor risk management. However, the wide yet consistent array of pain points suggests that this investment is not as effective as it needs to be,” argued BlueVoyant global head of third-party cyber-risk management, Adam Bixler.
“This, tied to the lack of visibility, monitoring and senior-level reporting, underscores a need for further improvement when approaching third-party cyber risk, in order to reduce the exposure of data before attackers take advantage of this.”
Supply chain risk has been abundantly evident over the past year, with big-name campaigns such as the SolarWinds breaches and the ransomware attacks on Kaseya customers highlighting the threat to organizations.
Organizations must evolve their third-party risk management from static questionnaires to continuous monitoring and rapid action to tackle critical new vulnerabilities, BlueVoyant claimed.