Prioritising third party cyber risk

James Tamblin at BlueVoyant UK explains why third-party cyber risk needs to take precedence in 2022

 

In 2021, third-party cyber-attacks affected multiple industries, with Accellion, SolarWinds and Kaseya being three particularly high-profile examples that hit the headlines during the year. From major banks to defence companies to utilities, healthcare and government, no organisation was immune.

 

In some cases, a single breach in one vendor network affected tens of thousands of companies in its ecosystem. The fall-out from SolarWinds is estimated to have cost more than $100 billion.

 

This is one of the reasons why managing third-party vendor cyber risk is going to be a defining cyber-security challenge in 2022.

 

Interlinked supply chains

Vendor supply chains are interlinked, overlapping with complicated dependencies. But how do companies respond to this challenge and ensure that their supply chain is secure?

 

Supply chains are multi-layered, meaning that sensitive information might be stored or processed by third- or even fourth-party providers. And they are opaque, which means that gaining visibility into a complete vendor ecosystem can be difficult. Therefore, when attempting to secure it, organisations can often find it hard to even know where to start.

 

The scale of the problem is vast, a fact that was highlighted in Blue Voyant’s cyber risk management survey, launched in December 2021. A staggering 97% of UK organisations surveyed said that they had suffered a cyber-security breach because of weaknesses in their supply chain.

 

This compares to 82% of respondents who suffered a cyber-security breach owing to vendor vulnerabilities in our 2020 survey. Not only was this figure higher than the overall global average of 93% in 2021, but the UK was also second highest out of all the six countries surveyed.

 

Now even if you are slightly sceptical of these figures, without a doubt they paint a bleak picture of rising threats and high incident levels, which were widely covered in the news throughout last year.

 

UK firms fail to prioritise third-party cyber risk

What is interesting is that UK respondents were least likely to prioritise third-party cyber risk management, despite such high prevalence of cyber breaches, and were most likely to say that third-party cyber risk was not on their radar.

 

The research from BlueVoyant reveals that the average number of breaches experienced in the UK in the past 12 months grew from 2.64 in 2020 to 3.57 in 2021.  UK firms experienced a higher-than-average percentage of breaches.

 

This should sound alarm bells and prompt immediate action. With supply chains currently stretched to the breaking point by the COVID-19 pandemic, many UK firms have had to diversify suppliers to build resilience. This could be increasing threats and limiting their supply chain visibility. Businesses must take care when onboarding new vendors that they are not introducing unknown cyber risk into their ecosystem.

 

Speed is critical to identifying and responding to third-party cyber risk, and the need for rapid response is evidenced as the detail of each attack becomes clear. Many of the most damaging third-party cyber-attacks in 2021 occurred in the immediate aftermath of the discovery of new vulnerabilities.

 

Therefore, without frequent and ideally continuous monitoring, breaches can go unrecorded and unseen for weeks – if not months.

 

Automating continuous risk monitoring

Automation is key to effective continuous risk monitoring. However, going back to our research, we found that the use of vendor risk management programmes in the UK was lower than average (32% have a programme in place versus the overall average of 39%). Additionally, more than one third of UK respondents admitted they had no way of knowing if a cyber risk had emerged in a third-party vendor.

 

What was more encouraging is that UK companies did fare better than counterparts in other territories when it came to how frequently they reassess their vendors and brief the executive team on the results. A higher percentage were assessing vendors weekly and monthly than last year and a smaller percentage were reporting less frequently. So there is an improving picture when it comes to monitoring and reporting.

 

This positive approach to more regular supply chain auditing is promising. However, reporting and assessments could be much more effective if there was more expansive and rigorous awareness of cyber and third-party risk and more sophisticated programmes in place to deliver comprehensive and accurate data.

 

And finally, the research found that budgets in the UK are rising year-on-year, which seems like a positive indicator.

 

This raises questions around why this is not resulting in fewer breaches – ninety-two percent say that budgets for third-party cyber risk management are increasing in 2021, up from 87% in 2020. 

 

However, the degree to which these investments are coordinated is unclear. Surveyed UK companies reported an almost equal distribution of pain points: managing false positives, managing the volume of data, prioritising risk, knowing their own risk position, among others.

 

The fact that companies are reporting so many issues suggests that larger budgets are not resulting in risk reductions.

 

Understanding the resources needed

Budget increases demonstrate that firms are recognising the need to invest in cyber-security and vendor risk management. But the fact that firms are not prioritising supply chain risk suggests that budgets are not being directed to where they will make the most impact.

 

Today, we know that adversaries can actively scan organisations across the globe to identify attack vectors that can enable damaging data exfiltration and crippling ransomware attacks. Therefore, companies need to commit to incorporating continuous monitoring and remediation into their third-party cyber risk programmes.

 

In addition, they need to raise awareness at the senior executive and board level to help the business prioritise risk and understand the resources needed to protect the business.

 

This includes gaining better visibility into the supply chain, automation of analysis and expanding assessment into the ‘long tail’ of vendors, not just the critical suppliers. Likewise, they should undertake a programme of supplier cyber-security education and training to ensure their vendors are aware of their cyber risk.

 

---

 

James Tamblin is  President of BlueVoyant UK. To read the full UK BlueVoyant research report: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem”, click here.

 

Main image courtesy of iStockPhoto.com