Last year, cyberattacks on third-party vendors cost organisations in various industries billions of dollars. From major banks to healthcare to governments, no one is immune.
But throwing more budget at the problem is not the solution.
BlueVoyant’s recent survey of 1,200 global security executives across industries revealed that despite more focus and budget going to third-party risk in 2021 than the previous year, breaches originating in third parties increased by 37%.
Here are BlueVoyant’s recommendations for enhancing cybersecurity efforts to minimise your supply chain risk.
1. Don’t Rely on a Big Budget Without a Defined Strategy
The disconnect between budgets and breaches suggests investments are not as efficient as they should be.
Third-party cyber risk should always be tied to a defined strategy. Organisations should avoid “spray and pray” spending on more in-house cybersecurity staff, vendors and devices.
Spending on 3PR is considered strategic if it helps assess, rank, monitor, enforce and respond to vulnerabilities originating in the supply chain. If budgets aren’t improving these areas, investments will be mostly wasted.
The data shows there’s room for improvement in strategic 3PR spending….
- Forty-two percent of respondents reported budget increases of 51-100% for third-party cyber risk in 2021 compared to 2020, yet the average number of annual breaches grew 37% from 2020 to 2021.
- Despite budget boosts in 2021, pain points including reducing false positives, managing data volume, and prioritising risk all persisted throughout the year.
2. Improve Visibility into the Supply Chain
Full supply chain visibility means being able to support suppliers from first alerts to resolution.
To do that, you’ll need to invest in tools and services that answer these questions:
– Which third-party vendors are most critical to your business?
– What data and systems do they have access to?
– Are you setting security baselines that all third-party vendors must meet?
– Can you work with vendors directly to remediate risks quickly and effectively?
The data shows there’s room for improvement in 3PR visibility…
Ninety-three percent of respondents suffered cybersecurity breaches because of weaknesses in their supply chain.
Thirty-eight percent said they had no way of knowing if an issue arises with a third party.
Forty-one percent said when they did inform thirdparty suppliers about a security issue in their ecosystem, they were unable to verify if it had been resolved.
3. Monitor Your Supply Chain Continuously
- You won’t be able to stay ahead of persistent attackers or be prepared when a new Zero-day vulnerability is found in the wild if you’re assessing your suppliers’ cyber posture on a regular basis.
- Companies should invest in real-time threat detection and continuous monitoring tools that accomplish the following:
– Send alerts when vendor status changes and/or exceeds predetermined cyber-risk thresholds.
– Consistently pinpoint where vulnerabilities are, eliminate false positives and identify malicious activities originating from third parties.
The data shows there’s room for improvement in 3PR monitoring….
- While continuous monitoring is essential for securing supply chains, the number of survey respondents practicing it dropped by half from 2020 to 2021.
- Too many cyber-attacks in 2021 occurred after newly discovered critical vulnerabilities were disclosed. Companies were unaware of them or ignored them.
4. Coordinate with the C-suite about Third-Party Risk
Executive buy-in is the most effective way to coordinate resources and define strategies for securing supply chains.
Third-party cyber risk should be an executive mandate. Make sure 3PR isn’t stuck in silos and is instead integrated with the company’s risk management strategy with clear lines of responsibility and budget ownership.
The data shows there’s room for improvement in executive involvement with 3PR….
- Survey respondents gave mixed answers on who owns third-party cyber risk – with answers falling across the CIO, CISO, CFO, even the CPO.
- The number of companies that regularly brief senior leadership on third-party risk dropped from 2020 to 2021.
Download BlueVoyant’s 2nd Annual Global Third Party Risk Report Now
Download Managing Cyber Risk Across the Extended Vendor Ecosystem 2021 to understand the full scope of third-party supply chain cyber risk.
The study was conducted by independent research organisation, Opinion Matters, and recorded the views and experiences of 1,200 CIOs, CISOs and Chief Procurement Officers in organisations with more than 1,000 employees across a range of industries. It covered six countries: U.S., Canada, Germany, The Netherlands, the United Kingdom, and Singapore.
Simply register here to receive your free copy of the report.