Bluevoyant has released its latest State of Supply Chain Defence annual report (registration required). Organisations continue to struggle with cyber risk in their supply chains despite a shift from passive to active approaches.
The company is seeing more organisations now actively operating Third-Party Risk Management (TPRM) programmes. This has led to a shift from awareness to enforcement and compliance. The goal is to reduce risk and strengthen supply chains.
Joel Molinoff, global head of Supply Chain Defense at BlueVoyant, said, “More organizations than any previous year indicated that their primary focus is no longer on awareness of the third-party risk management problem or adoption of a program, but rather with the operational, day-to-day challenges of managing an effective program.
“While this progress also brings many new challenges, it indicates a major step in the right direction when contrasted with previous years where many organizations had poor tracking of third-party vendors, little to no leadership oversight, and virtually no collaboration when it came to remediating cyber issues.”
Partners are good, risk is not
All organisations rely on third-party organisations, including suppliers, support and customers, to be successful. In a technology-driven world, that means integrating IT systems to reduce costs and improve processes. That integration requires trust and creates a reliance on each other. However, a breach of anyone in that supply chain can affect others.
This report shows the level of interconnectedness between organisations. SMEs (1,000-5,000 employees) have over 1,500 third-party partners. Organisations with 10,000-15,000 employees find themselves with over 5,000 partners. For the largest organisations, that soars to over 8,000 partners.
The numbers from the report are less positive when you look at the number of partners who are regularly monitored. The smallest group monitors around 45%, while the others monitor 31% and 23% respectively. It means that there are significant gaps in monitoring leaving an increased attack surface as an organisation grows.
When looked at from a regional perspective, the UK (34%) says that it monitors suppliers regularly (monthly or more frequently). In Europe, that plummets to 20%. When it came to knowing if risk was emerging in a supplier, the picture was similarly mixed. Europe (28%) has much better visibility than the US (40%).
Bluevoyant discovered that the increased attack surface reflects the number of cyber-attacks organisations face. 51% of organisations with 101-500 suppliers were impacted by a cyber breach. At the other end of the scale, 95% of those with more than 10,000 suppliers were impacted by a breach.
Regionally, 95% of UK companies have been affected by a breach, while the best-performing region was Europe at 76%.
Greater investment in TPRM programmes
That level of risk has resulted in organisations investing more heavily in TPRM programmes. The level of investment in TPRM has jumped 19% to 36%. It is still far short of where it needs to be, and disappointingly, the report did not provide any cost indicators.
What is shown in the research is that APAC (40%) sees supply chain risk as a higher priority than other regions. The US (31%) lags behind.
It would also have been interesting to see how many had implemented new TRPM programmes as a result of pressure from insurers. Over the last year, those providing cyber insurance have required organisations to do more to protect themselves. Knowing if insurers mandated TPRM programmes would be a useful data point. It would show where the pressure to improve is coming from.
What the report did show is a significant difference in how companies in different regions saw their budgets increase in the last 12 months. In the US & Canada, and the UK, 92% expected an increase in their budgets for TPRM. In APAC, it was 90%.
Surprisingly, and without explanation in the report, that plummets to 80% in Europe. With Europe having some of the most comprehensive compliance programmes in the world, this makes no sense. It could be that the TPRM is seen as part of other programmes, and therefore, the funding is split. Without any qualitative follow-up, however, It is hard to know that.
Enterprise Times: What does this mean?
There has been a lot of attention on supply-chain and risk over the past few years. Much of the high-profile attention has revolved around a few cyber-attacks where a breach at a supplier had significant downstream impacts.
- The Ticketmaster breach was caused by a problem with Snowflake, who managed its cloud infrastructure.
- Okta had private customer data accessed in a breach. By the time it informed customers weeks later the breach had caused significant disruption to those customers.
- An inactive signing key from a Microsoft Azure system was stolen. It was then used to create valid email access tokens that Azure AD accepted and allowed access to multiple customers. That same incident spilled over to Office365 used by those same customers.
- Ivanti’s Connect Secure VPN was exploited via two vulnerabilities. Multiple customers around the world were impacted as thousands of VPN devices were compromised.
These are just a few of the dozens of supply-chain attacks from the last 18 months. There are many more. Some of those had a wider and longer-lasting effect. Organisations need to look hard at how they secure their supply chains. While implementing TPRM programmes is a start, it has to be aligned with other programmes.
One thing missing from this research, and indeed in much supply-chain research, is how larger organisations will help smaller suppliers. Over a decade ago, IBM and HP discussed larger customers, asking them to audit and provide action plans for key suppliers. That fell by the wayside. Given the problems here in knowing the risk and mitigating it, perhaps it’s time to look again at something similar.