New cybersecurity research has found that 97% of surveyed companies suffered ill-effects due to a breach occurring in their supply chains.
In addition, 93% of the companies said that weaknesses in their supply chain had led to a direct cybersecurity breach. They also claimed that the average number of breaches experienced in the last 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-on-year increase.
The findings were published by cybersecurity company BlueVoyant in its second annual global survey into third-party cyber risk management.
BlueVoyant’s research involved responses from 1,200 CIOs, CISOs and Chief Procurement Officers in organisations with more than 1,000 employees. The companies came from six countries, including the UK, and from across a range of industries.
According to the study, only 13% of companies said that third-party cyber-risk was not a priority, a drop compared to last year when 31% of companies said that supply chain and third-party cyber risk was not on their radar.
Additionally, 38% of respondents said that they had no way of knowing when or if an issue arises with a third-party supplier’s cybersecurity, compared to 31% last year.
BlueVoyant Global Head of Third-Party Cyber Risk Management Adam Bixler warned: “Even though we are seeing rising awareness around the issue, breaches and the resulting negative impact are still staggeringly high, while the prevalence of continuous monitoring remains concerningly low.
“Third-party cyber risk can only become a strategic priority through clear and frequent briefings to the senior executive team and the board.”
As in 2020, 91% say that budget for third-party cyber risk management is increasing in 2021, with the increases keeping pace with last year.
According to the research, 29% of companies reported budget increases from 26-50%; 42% reported increases of 51-100%; and 17% reported increases of 100% or more. Overall, 91% are planning budget increases.
However, BlueVoyant warned that the rising volume of attacks is limiting the effectiveness of these investments. Surveyed companies reported an almost equal distribution of pain points: managing false positives, managing the volume of data, prioritising risk, and knowing their own risk position, among others.
The fact that companies are reporting so many issues suggests that larger budgets are not yet resulting in sufficient risk reduction, the group warned.
Bixler added: “Budget increases demonstrate that firms are recognizing the need to invest in cybersecurity and vendor risk management. However, the wide, yet consistent array of pain points suggests that this investment is not as effective as it needs to be.
“This, tied to the lack of visibility, monitoring and senior-level reporting, underscores a need for further improvement when approaching third-party cyber risk, in order to reduce the exposure of data before attackers take advantage of this.”
Supply chains have provided a tempting target for cyberattacks. Even locking up one part can have major repercussions downstream – such as in the Colonial Pipeline attack.
With supply chains becoming so complicated and integrated, attacks can rapidly have a domino effect. The Kaseya attack, a popular third-party software provider, hit many of the company’s customers. This had a knock-on effect across dozens of industries.
As such, the new research illustrates how companies can no longer simply be responsible for managing their own cybersecurity risk – they need to be vigilant of threats to third-party software and suppliers across the entire supply chain.