Is a lack of supply chain visibility undermining board-level confidence in cyber security programs?
As we head further into 2025, organizations must focus on bolstering operational resilience and addressing third-party risks, driven not only by commercial imperatives but also by new regulatory mandates. With the enactment of regulations such as NIS2 in late 2024 and DORA early this year, supply chain risk management is now a strategic necessity.
This means that third-party cyber risk management must become a strategic priority. However, according to BlueVoyant’s fifth annual Supply Chain Defence report, which examines fast-evolving supply ecosystems, many organizations don’t appear to be prioritizing supply chain cyber risk management, or are unaware of cyber security gaps in their supply chains.
Nearly two thirds of UK respondents said that third-party cyber security risk management is either not a priority, or somewhat of a priority, and 34 percent said they have no way of knowing when a cyber security incident occurs within their supply chain.
The severe implications of supply chain cyber breaches -- ranging from business disruption to reputational damage -- alongside the threat of regulatory fines, have caught the attention of boards. It is essential for CISOs and CSOs to have a comprehensive understanding of supply chain cyber security to provide effective oversight. A board's view of an organization's cyber risk posture is incomplete without considering third-party connections, as these play a pivotal role in the company's extended ecosystem.
A concerning lack of supply chain cyber security visibility
Within the report, 95 percent of C-level executives responsible for supply chain cyber security at UK companies said they had been negatively impacted by cyber security breaches within their supply chain, compared to 81 percent globally. This underscores the critical need for visibility. Boards must recognize that their organization's digital attack surface is broader and more complex than often realized. The interconnected nature of supply chains demands a heightened focus on third-party risks to maintain a robust security posture.
Engagement and collaboration is increasing -- but not enough
While awareness of third-party risk management (TPRM) is increasing, with more organizations investing in strategic TPRM activities, there remains much to be done. Cross-industry third-party cyber risk management (TPRM) awareness is growing, with the last 12 months having seen a significant evolution across the sector and with organizations investing more time and money in strategic TPRM related activities. Organizations are increasingly engaging with vendors, embracing automation, and managing SLAs to penalize poor security hygiene. However, the journey towards proactive risk mitigation and incident remediation is ongoing.
Where, for example, many firms had been focusing largely on raising awareness of third-party risk and the implementation of elementary risk management, the emphasis appears to be shifting to optimized management via fully-fledged TPRM programs.
While all the factors above are certainly ‘shifting the needle’, more still needs to be done. It is self-evident that anything critical to a business’s operations will be a natural target for threat actors, and that such targets inevitably only become more tempting as they grow in size and complexity. The supply chain has become a perfect case in point.
Supply chain size continues to increase
The sheer size of organizations' supply chains are exacerbating the lack of visibility and control. In 2024, 80 percent of organizations with between 1,000 and 5,000 employees reported that they are engaged with between 501 and 10,000 third-party suppliers. The majority of UK firms with 10,001-15,000 employees have third-party ecosystems numbering between 1,000 and 10,000 suppliers.
For organizations that reported suffering one or more supply chain cyber incidents in the past 12 months, the research shows that the number of incidents tends to increase directly in proportion with the size of a firm’s supply chain ecosystem. For organizations that reported suffering one or more supply chain cyber incidents in the past 12 months, the research shows that the number of incidents tends to increase directly in proportion with the size of a firm’s supply chain ecosystem
While 54 percent of UK organizations with 101 to 500 supply partners said they suffered one breach or more, that percentage rose sharply depending on the number of third parties involved. Ninety-nine percent of firms with 501 to 1,000 supply partners suffered from one breach or more, 98 percent for those with 1,001 to 10,000 suppliers, whilst nearly every UK organization with between 10,000 and 50,000 suppliers were negatively impacted by a cyber security breach in the last 12 months. This highlights that ratios tend to increase directly in proportion with the size of a firm’s supply chain ecosystem.
The underlying problem
A concerning pattern emerges: many UK organizations only assess critical third-party suppliers biannually, leaving numerous vulnerabilities unchecked. The majority of UK organizations surveyed, regardless of the size of their supplier ecosystem, only say they assess critical third-party suppliers every six months (the exception is for organizations with 1,001-10,000 suppliers; here, 32 percent assess once per year, whilst 30 percent assess every six months). This illustrates that many organizations are leaving thousands of third parties -- and therefore potentially tens of thousands of possible vulnerabilities -- entirely to their own fate. Boards of such organizations must ensure that viable strategies are effectively implemented to maintain oversight and visibility.
Increasing senior stakeholder awareness of third-party cyber security risk
There has been a continued uptick in organizational understanding of third-party risk, with companies monitoring greater numbers of vendors and with senior stakeholder reporting becoming more common and standardized.
However, challenges remain, prompting the UK’s National Cyber Security Centre (NCSC) to introduce new guidance on how CISOs can effectively communicate with Boards to improve oversight of cyber risk, after it was found that pain points exist such as uncertainty over whom has accountability for cyber risk within an organization. In the NCSC-commissioned research, some CISOs said they didn’t feel the need to involve the Board on cyber security risk because they felt they would struggle to understand technical terminology around the issues – underpinning the need to communicate in simple-to-understand language.
To better tackle supply chain cyber security risks, businesses should:
- Initiate a proactive visibility program at all levels – especially at Board and C-suite level. This includes cross-departmental and senior stakeholder briefings, reporting, and collaboration.
- Prioritize effective third-party cyber security risk management and collaboration to reduce breach risk.
- Implement structured penalties for third parties to encourage compliance amongst those that fail to demonstrate sufficient hygiene, response, and remediation measures.
- Monitor and evaluate all suppliers on a continuous basis.
- Introduce tiered monitoring -- from simple questionnaires to advanced continuous monitoring -- offset against costs and aligned with vendor criticality. This will help to alleviate resource, technology and expertise challenges.
- Ensure third-party cyber security risk management isn’t siloed in IT or elsewhere.
- Work closely with their third parties to close the remediation loop.
- Triage and track all issues through every step to full remediation.
Building confidence through preparedness and leadership buy-in
While awareness of third-party risks is rising, preparedness is still lacking. Both are essential for securing third-party ecosystems and instilling confidence in the C-suite and boards. By positioning cyber security as a foundational pillar of risk management, organizations can better protect critical operations, ensuring resilience in the face of future challenges. This journey begins with a robust third-party risk management program, enabling effective business continuity planning and strategic engagement with all stakeholders.
Image Credit: pathdoc / Shutterstock
Leigh Glasper is Director, Cyber Advisory at BlueVoyant.