92% of US organisations in survey have experienced a cybersecurity breach that came from a vendor
Cyber security risks are huge in supply chains and a major area of vulnerability is in the vendor ecosystem says new research
Hackers are targeting vendor ecosystems, with more than nine in 10 organisations in the US reporting breaches from this area in the past 12 months, with the average US organisation being breached in this way 3.1 times, the highest out of all the countries surveyed.
The key findings in the US include 33% of the organisations saying they have no way of knowing is cyber risk emerges in a third-party vendor, with just under one-third (31%) monitoring their entire supply chain. The global average across all respondents was just 23%. Additionally, US respondents are monitoring and reporting more frequently than most other countries surveyed, 35% report monthly and 9% weekly, while 27% only re-assess and report their vendor’s cyber risk position either bi-annually or less frequently. 86% also said that budget for third-party cyber risk management is increasing, by an average figure of 45%.
The most common problems that are leading to breaches was revealed when respondents were asked to identify the top three pain points related to their third-party cyber risk programs in the past 12 months. These were working with suppliers to improve their security performance, prioritising which risks are urgent and which are not, and offboarding suppliers with the rigor they onboarded them. In response to these issues, budgets for third-party cyber risk programs are set to rise in the coming year.
The survey also investigated the tools organisations have in place to implement third-party cyber risk management and found a mix of approaches with no single approach dominating. Many US organisations are evolving towards a data-driven strategy, with supplier risk data and analytics in use by 43% of the respondents. Point-in-time tactics such as on-site audits and supplier questionnaires also remain common.
Over half (54%) of US organizations think the CISO owns cyber risk while 27% say it belongs to the CIO and 10% say Chief Procurement Officers are responsible. This division over who ultimately owns cyber risk is causing issues around allocation of budget, resources and ultimately an organization's ability to remediate issues when they arise.
Commenting on the research findings, Jim Penrose, Chief Operating Officer for BlueVoyant, said: "Overall the research findings indicate a situation where the large scale of vendor ecosystems and the fast-changing threat environment is defeating attempts to effectively manage third-party cyber risk in a meaningful way. It is critical for US organizations to decide who owns third-party cyber risk. Until this question is answered, it is impossible to adopt a coherent and effective strategy and make meaningful progress to manage it. Third-party cyber risk must be taken out of operational silos and integrated fully with the organisation's overall risk management strategy with clearly defined lines of responsibility, reporting, and budget ownership."
The study was conducted by independent research organization Opinion Matters and recorded the views and experiences of 1505 CIOs, CISOs and Chief Procurement Officers in organizations with more than 1000 employees across a range of vertical sectors. It covered five countries: USA, UK, Mexico, Switzerland and Singapore.