This global report surveyed 2,100 people involved in managing supply chain risk for their organisation, asking them how they are developing effective third-party cyber risk management. The report compares results from respondents based in the UK, Europe, USA and APAC. The main findings are:
On third-party risk:
- Third-party cyber risk is increasing. On average, the participating organisations suffered on average 4.16 cyber breaches in their supply chain – up from 3.29 in 2022.
- On average, companies have 6,138 third parties in their supply chains - just 1,870 of these are actively monitored, and 1,689 are evaluated for cyber risk.
- In the UK, a worrying 37% of respondents said they would have no way of knowing if there was a third-party issue, compared to 26% globally.
The top three challenges businesses face:
- Getting people within the organisation to understand that their vendors’ weaknesses are their weaknesses.
- Difficulties in collaborating with third-party suppliers to help improve their security performance.
- Meeting regulatory requirements in ensuring third parties comply with cybersecurity standards
On mitigating third-party risk:
- The countermeasures most commonly used to mitigate third-party cyber risks included software bill of materials (SBOMs) (31%), continuous monitoring solutions (31%), security rating services (34%), and questionnaire management solutions (29%).
- It’s good practice to tier vendors by evaluating the specific level of risk they pose and responding with a tailored approach. Hopefully, technologies and services that can address the differences between varying tiers will improve in the coming years.
The good news:
- Almost half of respondents are monitoring their vendors monthly or more often, while 44% are briefing senior management at least once a month.
- 85% say their budget for third-party risk has increased in the last year.
The recommendations:
- Work with your suppliers and help them improve their security posture instead of simply alerting them to vulnerabilities.
- Increase regular monitoring and briefings to senior management. Most respondents don’t currently brief their senior management monthly, nor do they monitor third parties more frequently than monthly. In contrast, it only takes 14 days for a vulnerability to be exploited in the wild after it is disclosed.
- Continuously evaluate and refine vendor tiers. Vendor tiering is challenging, but a few criteria seem to work well.
- Continue to educate business units to address the leading pain point of lack of understanding of third-party cyber risks across business units.