When it comes to discussions around third-party vendors, the reality is if they are not adequately secured, it opens the door for increased risk for any organization. In its third annual global survey on supply chain cyber risk management, BlueVoyant found that nearly all enterprises are negatively impacted by cybersecurity breaches in their digital supply chain, an increase from 2021. BlueVoyant’s study reveals the challenges of defending supply chains that organizations globally continue to grapple with as they become more complex.
Lorri Janssen-Anessi, Director, External Cyber Assessments, BlueVoyant took time to answer questions about what the study revealed.
What process does BlueVoyant undertake to conduct its annual global insights report? What was most surprising about this year's?
The study was conducted by independent research organization, Opinion Matters, and surveyed 2,100 c-level executives in North America, Europe, and Asia Pacific. Respondents are responsible for supply chain and cyber risk management in organizations with more than 1,000 employees across a range of industries.
The survey showed that even though there is more awareness of supply chain cybersecurity, organizations are still struggling to monitor and prevent negative impacts from vendors and suppliers. The study found that 98% of firms surveyed have been negatively impacted by a cybersecurity breach that occurred in their supply chain, slightly up from 97% of respondents last year. One reason for this may be that 40% of respondents rely on the third-party vendor or supplier to ensure adequate security, which can leave them vulnerable to breaches. The silver lining is that more organizations are more frequently monitoring their supply chain. In 2021, 53% of companies said they audited or reported on supplier security more than twice per year; that number has improved to 67% in 2022. And budgets for supply chain security are up, with 84% of respondents saying their budget has increased in the past 12 months.
BlueVoyant's findings show businesses have invested more budget into supply chain defense and security than in previous years. Is it making a difference?
I was pleased to see that budgets for supply chain defense are overall increasing. However, nearly all surveyed organizations have been negatively impacted by a breach in their supply chain, which suggests that companies are still challenged to stop disturbances from vendors and suppliers. The most cost-effective way to stop supply chain breaches is to consider hiring a vendor to continuously monitor your supply chain and to also work with your vendors to quickly remediate their cybersecurity vulnerabilities.
What risks are organizations taking when working with third-party vendors who are not adequately secured?
As organizations’ own internal cybersecurity becomes more well defended, malicious cyber actors have realized that a supplier or vendor may have weaker security. Malicious cyber actors are opportunistic and look for the path of least resistance. As more third-parties have network access, attackers are now compromising a third-party in order to reach their target. Ransomware, data loss, or business continuity issues have all been orchestrated through a vulnerable third-party connection. If a malicious cyber actor can get access to a third party supplier or vendors assets they can exploit not only the overlapping technology between the organizations but can also exploit the trust relationship to conduct a more expansive attack.
What actions does BlueVoyant recommend companies take to improve security postures in regard to supplier relations?
The best way to defend against supply chain attacks is to continuously monitor your supply chain in real time. In addition, organizations should work closely with their vendors to quickly remediate any issues, such as applying patches or fixing IT hygiene issues. Additional best practices include being aware of your entire digital supply chain and prioritizing those vendors that are critical to business continuity, ensuring cyber hygiene practices are routine within your organization, and limiting user privileges to only what is necessary.