New research indicates that over a third of UK organisations have no way of knowing if a cyber risk emerges in their supply chain.
The findings of a global study into third-party cyber risk management published by BlueVoyant reveal that 82% of large organisations in the UK had experienced a cyber-security breach that originated from vulnerabilities in their supply chain in the past 12 months. The average organisation had been breached in this way 2.6 times.
Organisations are experiencing problems with cyber risk management because they need to mitigate risk across a network that typically encompasses over 1000 suppliers. This is a particular problem in the UK where 34% of organisations say they have no way of knowing if cyber risk emerges in a third-party vendor: this was the highest out of all five countries surveyed in the research.
Just over one fifth (22%) monitor their entire supply chain, which means that 78% do not have full visibility of cyber risks in their supply chain. Of those that do monitor their suppliers, 40% only re-assess vendors’ cyber risk position every six-monthly, or even less frequently.
On a more positive note, 87% of UK organisations say that budget for third-party cyber risk management is increasing, by an average figure of 45%. This is supported by an average headcount in internal and external cyber risk management teams of 11.7 people.
“82% of UK organisations have reported a cybersecurity breach caused by their supply chain in the past 12 months, which should be sounding alarm bells,” Robert Hannigan, Chairman for BlueVoyant International commented. He points out that, because vendor risk is reassessed so infrequently, organisations are in effect “flying blind to risks that could emerge at any moment in the prevailing cyber threat environment.”
The problem is that many vendors seem reluctant to engage with their customers over this issue. Organisations cited problems such as unresponsive third-party suppliers and enforcing SLAs.
It seems clear that the management of cyber security risks is something that should concern both suppliers and their customers. It must be a partnership. Many organisations are waking up to this and suppliers that ignore the issue are likely to find themselves taken off procurement lists.
The UK BlueVoyant report Global Insights: Supply Chain Cyber Risk – Managing Cyber Risk Across the Extended Vendor Ecosystem (registration required) involves a study conducted by independent research organisation Opinion Matters and records the views and experiences of 1505 CIOs, CISOs and Chief Procurement Officers in organisations with more than 1000 employees across a range of sectors. It covers five countries: USA, UK, Mexico, Switzerland and Singapore.