BlueVoyant has published its latest “The State of Supply Chain Defense Annual Global Insights Report” (registration required). The report shines an interesting light on the supply chain and the risks that organisations see. Unsurprisingly, the top three challenges haven’t changed from last year, but there are some interesting findings elsewhere in the report.
Joel Molinoff, BlueVoyant’s global head of Supply Chain Defence, said: “UK businesses are still struggling to make progress on reducing supply chain and third-party cyber risk. Awareness and prioritisation remain low and breach frequency is persistently high. However, there are positive signs around rising monitoring rates and increased frequency of senior leadership briefings that may signal the start of a more determined and dynamic approach.”
A need to understand the risk that third-party suppliers pose
Those top three risks mentioned above are:
- A lack of internal understanding across the business that third-party vendors and suppliers are part of their cybersecurity posture, also ranked as the top pain point in 2022
- Working with third-party suppliers to improve their security performance, has moved up to the second biggest pain point after ranking third in 2022
- Meeting regulatory requirements and ensuring third-party cybersecurity compliance, which was ranked second in 2022
The top concern should have the C-suite worried. The constant press focus on attacks through the supply chain has not eased up. Quite why that is not being grasped is unclear. More importantly, exactly who doesn’t get it, is not clarified. Is this the C-suite itself? Is it the cybersecurity teams? Knowing where the disconnect sits is critical.
For almost two decades, there has been a conversation about how large organisations help smaller organisations in their supply chain to improve security. But how to do that is difficult. Should they invest money and provide training and tools? Should they demand better controls and evidence of auditing? To the latter, SOC II, Type 2 audits become a key data point. It would have been interesting to see how many organisations are pushing their supply chain to get SOC II certification and then using Type 2 audits for verification.
All that said, the report does say that 47% of companies now monitor supply chain vendors, up from 22% last year. 44% also send briefings to senior management, up from 38% in 2022. Given the disruption in the last few years, it is a surprise that both of these are so low.
The number of third parties in supply chains continues to rise
The average number of third parties that large organisations deal with is now 6,138. That’s a significant number. It is large enough that dedicating staff to managing the problem is probably beyond most organisations. That means that they need other ways to spot risk.
In this report, BlueVoyant asked a similar series of new questions from previous years. What it discovered is that organisations are looking at ways to prioritise and tier suppliers. It found three approaches:
- 46% of respondents use contract value
- 46% use criticality to operations
- 51% use access to critical data/networks/apps
The analysis of this by BlueVoyant led it to say, “..we expect that organizations do not want to address cyber risk with a one-size-fits-all solution and will instead determine different solutions for each tier. For example, a concentration of high-risk vendors might warrant an approach that includes continuous monitoring and white glove end-to-end service, whereas for lower risk vendors, less detailed monitoring and questionnaire management technologies may suffice.”
Some of the technologies used to make that assessment are:
- Security Ratings Service 34%
- Software Bill of Materials (SBOM) 31%
- Continuous Monitoring Solutions 31%
- Network Scanning and Pen Tests 29%
- Questionnaire Management Solutions 29%
- Exchanges and Marketplace 28%
- Nth-Party Identification and Mapping 28%
- Audits and On-Site Visits 28%
The rise of the Software Bill of Materials (SBOM) has been impressive. More than 30% of respondents say that they are using SBOMs, but there is a lack of detail here. Having an SBOM and having it integrated with vulnerability, asset registers, and patching processes is something different. There seemed to be no question around that in this survey. It would be interesting to see that added for next year to gain insight into the maturity of the use of SBOMs.
Breaches and news of breaches are changing behaviours and budgets
The impact of breaches and the news of breaches affecting other companies is beginning to make an impact on how people behave and on budgets. But it is enough.
For example, 39% said that breaches have caused increased scrutiny and oversight from our Board of Directors. That seems low and suggests that boards are not as engaged as they should be.
In terms of budget, 51% are expecting budget increases for additional internal resources to help protect against supply chain cybersecurity issues. Meanwhile, 45% expect that budget increase to be focused on external resources. The reality, is that both are needed to make sense.
Overall, however, 85% have seen an increase in budget, up from 84% last year. While BlueVoyant calls that encouraging, what are the other organisations doing?
Enterprise Times: What does this mean?
In addition to the details pulled out above, half the report is dedicated to vertical markets and regions. They will be of interest to anyone wanting a more focused set of statistics.
What is interesting here is that there is more attention slowly being paid to third-party risk through the supply chain. One suspects that a qualitative analysis would have shown significant differences between those who had suffered a breach and those who had not. That lack of qualitative insight is disappointing as there are many data points that tease, there is much more to be discovered.
