Supply chain security breaches are not likely to go away anytime soon and appear to be getting worse, according to a newly released survey of executives at more than 2,000 enterprises.
BlueVoyant on Thursday reported that its third annual global survey on cyber risk management found that almost all enterprises experience cybersecurity breaches in their digital supply chain. The survey results found an increasing supply chain risk, with 98% of respondents reported having been negatively impacted by a cybersecurity breach in their supply chain – slightly worse than the 97% who reported that in 2021.
The study included 2,100 chief information officers (CIO), chief security officers (CSO), chief operating officers (COO), chief procurement officers (CPO), and chief technical officers (CTO) across a range of industries ranging from business, finance, defense, health care, manufacturing, energy, and utilities in UK, USA, Canada, APAC, Singapore, and five European countries.
Forty percent of respondents reported that they still rely on their suppliers for adequate security, a major pain point in managing cyber risks. Other persistent challenges include:
- The lack of internal understanding that the third-party suppliers are a prominent part of the organizations’ security infrastructure.
- Meeting the necessary regulatory requirements and ensuring third-party cybersecurity compliance.
For many: supply chains lengthen
The study revealed that a greater percentage of companies (38% in 2022) said supply chain cyber risk was not on their radar. Still, organizations have increased the use of technology to understand the threat vector and make informed decisions. Continuing on a trend from the past two years, the total number of companies reporting on the supply chain also shows a steady increase: 50% reported supply chains of over 1,000 companies, up from 38% in 2021 and 14% in 2020.
This data provides evidence of the dire need for automated technology to monitor large supply chains continuously while directly helping the suppliers reduce cyber risk.
More scrutiny of supply chain firms
A further study analysis showed that 53% of companies in 2021 audited supplier security more than twice per year. The numbers in 2022 rose to 67% – a positive trend that also raises questions about organizations that do not frequently examine their supplier security, which leads to devastating impacts. Such companies become vulnerable to emerging threats like zero-day attacks, opening the door for increased risks.
Overall, a strong majority of companies (84%) said they were spending more money addressing cyber risks in 2022 than a year before. Despite that, much more work needs to be done to address supply chain risks. Fully 40% of respondents to the survey reported that they don’t know when an issue arises with the supplier. Whereas 42% said if they successfully discover a problem within their supply chain ecosystem, they cannot verify and only hope the supplier can fix it.
More work needed to mitigate supply chain cyber risks
With 2023 just around the corner, organizations should work with suppliers and prepare them to address cyber risks, the survey concluded. CIO, CISOs, and COO still need help to increase their business understanding that suppliers are part of the organization’s security posture. In this regard, the study also offers some recommendations for minimizing the cyber risk challenges within the supply chain vendors.
The report emphasizes that the conventional approach of monitoring the supply chain risk only alerts the organization about vulnerabilities within its supply chain environment. But now, organizations need broad visibility into the extended supply chain ecosystem through a holistic approach, including proactive outreach to the supply chain to work with individuals. This also goes beyond continuous monitoring and includes risk mitigation by having direct contact with the supplier.
Another promising way to reduce cyber risk is educating employees regarding the importance of cyber risks. The entire organization, including the security executive, board of directors, and senior leadership not involved with cybersecurity, must understand that supply chain risks are a critical business aspect and represent financial and reputation damage.
In addition, by regularly updating the senior leadership and monitoring the suppliers, companies can stay ahead of the security issues in their supply chain before bad actors exploit it.
In conclusion, the supply chain risks continue to target the organization. But with education and constant monitoring, the security situation can become better in the upcoming time.