Monitoring the supply chain securely can be challenging if an organisation doesn’t have stringent cyberdefences in place. BlueVoyant’s report found that 62% of UK respondents say third-party cyber-risk management is either not a priority or only somewhat of a priority, despite the significant negative impact of cybersecurity breaches in their supply chain. James McDowell, Managing Director, BlueVoyant UK, discusses the report findings and offers insight into how organisations can drive down supply chain risk and protect their operations.
BlueVoyant, an industry-leading cyber defence company that combines internal and external cybersecurity, has released the UK findings of its third annual global survey into supply chain cyber-risk management – The State of Supply Chain Defense: Annual Global Insights Report. The research paints a stark picture, with a staggering 97% of UK survey respondents saying they have been negatively impacted by a cybersecurity breach in their supply chain. Digital supply chains are made up of the external vendors and suppliers who have access that could be compromised.
This statistic hasn’t improved in the 12 months since the survey was undertaken in 2021, when 97% of UK respondents also said they had suffered a negative impact because of weaknesses in supply chain cybersecurity in the previous year.
The study was conducted by independent research organisation, Opinion Matters, and recorded the views and experiences of 2,100 chief technology officers (CTOs), chief security officers (CSOs), chief operating officers (COOs), chief information officers (CIOs), chief information security officers (CISOs) and chief procurement officers (CPOs), with 300 respondents from the UK, in organisations with more than 1,000 employees across a range of industries. It covered 11 countries across North America, Europe and Asia Pacific.
A bleak picture of escalating supply chain threats and low risk visibility
Other key UK survey findings were:
- The average number of breaches reported in the UK in the last 12 months grew from 3.57 in 2021 to 4.26 in 2022.
- 50% of UK firms said they have been negatively impacted by between two and five cybersecurity breaches in their supply chain. This has led to a corresponding increase in the number of UK respondents who reported a single breach with 36% overall, compared to 33% overall in 2021.
- However, only 38% of UK respondents considered supply chain risk a priority. This is an improving picture from 2021, when only 27% of UK respondents considered supply chain cyber-risk a key priority for their firm and compares more favourably to a 36% global average.
- That said, UK respondents were unlikely to be aware of all the risks in their supply chain, with 43% saying that cyber-risk was not on their radar, compared to 38% in 2021. This compares to the 38% global average.
- When asked how frequently they re-assess third-party or supplier cybersecurity risk, the most common response (27%) by UK respondents was only every six months. Overall, 37% of UK respondents reported six monthly or less frequently — a worsening picture compared to 29% last year. In fact, this year only 3% say they monitor either daily or in real time.
- Automation is key to effective risk monitoring, but the use of vendor risk management programmes in the UK was lower than average; 36% have a programme in place versus the global 41% average. However, this was slightly higher than 2021 when only 32% of UK respondents said they had a programme in place.
- 37% of UK respondents said they have no way of knowing if a cyber-risk emerges in a third-party vendor, a slight decrease from the 39% who reported this in 2021 and slightly lower than the overall 40% global average. However, it is still a clear indication of the complex challenges that UK firms must solve if they are to take control of supply chain risk.
“Visibility into supply chain cybersecurity risk remains an ongoing problem, despite the continuing high prevalence of negative impacts from cybersecurity breaches in the supply chain,” said James McDowell, Managing Director, BlueVoyant UK. “With the escalating threat landscape and number of high-profile incidents being reported, I would recommend firms focus more strategically on addressing supply chain cybersecurity risk. In the current volatile economic climate, the last thing any business needs is any further disruption to their operations, any unexpected costs, or negative impact on their brand. And while a higher proportion of firms say this is a priority, there is still a significant percentage who appear to be completely unaware of the risks in their supply chains. In today’s interconnected ecosystem, a risk to a supplier is a risk to your own business, therefore relying on vendors to mitigate without any oversight or control leaves organisations vulnerable.”
Monitoring of suppliers
The good news is that UK respondents are more likely to be monitoring critical or top-priority suppliers in their supply chain for cybersecurity risk (28% UK versus 24% global), but less likely to watch the long tail of all their third-party suppliers (14% UK versus 17% global).
Likewise, they are less likely to rely on vendors for adequate security (35% UK versus 45% global) and more likely to work with suppliers on every step until an issue is resolved (45% UK versus 40% global). Additionally, UK organisations are less likely to outsource supply chain defence, except for data analysis and results from monitoring, when compared to their global counterparts (48% UK versus 45% global).
Budgets are decreasing
UK respondents were less likely to report increased budgets for supply chain defence, despite recent attacks and more regulatory scrutiny. Only 79% of respondents said their budgets increased in the last 12 months, compared to 92% in 2021 and a global 84% average.
UK companies surveyed reported an almost equal distribution of managing pain points: too many false positives; overseeing data volume; prioritising risk; knowing their own risk position; among others. However, the biggest pain point cited: working with third-party suppliers to improve their security performance along with dealing with unresponsive third-party suppliers when there is a problem (23%, respectively).
“With UK firms being so heavily targeted, how will they reduce the negative impact of supply chain disturbances and drive down cyber-risk with declining budgets?” asked McDowell. “They must prioritise with the appropriate level of investment so that they can better monitor suppliers and drive down supply chain risk.”
Click below to share this article