80 percent of organizations have experienced a third-party breach
Organizations are suffering from a lack of visibility into their supply chain and 8 percent experienced a breach that originated from vulnerabilities in their vendor ecosystem in the past year.
A new report from cybersecurity services company BlueVoyant, based on research carried out by Opinion Matters, shows that only 22.5 percent of organizations monitor their entire supply chain and just 32 percent re-assess and report their vendor’s cyber risk position either six-monthly or annually.
"That four in five organizations have experienced recent cybersecurity breaches originating in their vendor ecosystem is of huge concern," says Jim Penrose, COO of BlueVoyant. "The research clearly indicated the reasons behind this high breach frequency: only 23 percent are monitoring all suppliers, meaning 77 percent have limited visibility and almost one-third only re-assess their vendors’ cyber risk position six-monthly or annually. That means in the intervening period they are effectively flying blind to risks that could emerge at any moment in the prevailing cyber threat environment."
The top three problems with managing third-party risk are cited as, managing the volume of alerts generated, working with suppliers to improve security performance and prioritizing which risks are urgent and which are not.
The business services sector is suffering the highest rate of breaches, with 89 percent saying they have been breached via a weakness in a third-party in the past 12 months. The average number of incidents experienced in the past 12 months was also highest in this sector, at 3.6. This is undoubtedly partly down to the fact that firms in the sector reported working with 2572 vendors, on average. In contrast, only 57 percent of respondents from the manufacturing sector say they had suffered third-party cyber breaches in the past 12 months.
Penrose adds, "This underlines that there is no one-size-fits-all solution to managing third-party cyber risk. Different industries have different needs and are at varying stages of maturity in their cyber risk management programs. This must be factored into attempts to improve performance so that investment is directed where it has the greatest impact."
The full report is available from the BlueVoyant site.