BlueVoyant, a global, expert-driven cybersecurity services company, today released the UK findings of its global study into third-party cyber risk management. The study reveals that 82% of UK organisations surveyed had experienced a cybersecurity breach that originated from vulnerabilities in their vendor ecosystem in the past 12 months, and the average respondent’s organisation had been breached in this way 2.6 times. The research also found organisations are experiencing multiple pain points across their cyber risk management program as they aim to mitigate risk across a network that typically encompasses over 1000 vendors.
The study was conducted by independent research organisation Opinion Matters and recorded the views and experiences of 1505 CIOs, CISOs and Chief Procurement Officers in organisations with more than 1000 employees across a range of vertical sectors. It covered five countries: USA, UK, Mexico, Switzerland and Singapore.
Other key UK findings include:
- 34% say they have no way of knowing if cyber risk emerges in a third-party vendor, this was the highest out of all five countries surveyed
- Just over one fifth (22%) monitor their entire supply chain which means that 78% do not have full visibility
- 40% only re-assess and report their vendor’s cyber risk position either six-monthly or less frequently this again was the highest percentage out of all five countries surveyed
- The average headcount in internal and external cyber risk management teams is 11.7
- 87% say that budget for third-party cyber risk management is increasing, by an average figure of 45%. This was the highest budget increase out of the five countries surveyed.
Commenting on the research findings, Robert Hannigan, Chairman for BlueVoyant International, said: “The lack of visibility into third-party suppliers is very concerning. 82% of UK organisations have reported a cybersecurity breach caused by their supply chain in the past 12 months, which should be sounding alarm bells for UK PLC. The research clearly indicated the reasons behind this high breach frequency: only 22% are monitoring all suppliers, and 40% – the highest percentage out of all countries surveyed – only re-assess their vendors’ cyber risk position six-monthly or less frequently. That means in the intervening period they are effectively flying blind to risks that could emerge at any moment in the prevailing cyber threat environment.”
Multiple pain points exist in third-party cyber risk programs as budgets rise in response
Further insight into the difficulties that are leading to breaches was revealed when respondents were asked to identify the top three pain points related to their third-party cyber risk programs in the past 12 months. The most common problems were:
- Dealing with unresponsive third-party suppliers when there is a problem;
- Working with suppliers to improve their security performance;
- Enforcing SLAs with all our third-party suppliers and getting them to comply.
However, overall responses were almost equally spread across thirteen different areas of concern. In response to these issues, budgets for third-party cyber risk programmes are set to rise in the coming year. 87% of survey respondents said they expect to see budgets increase, by 45% on average.
Robert Hannigan continues: “The fact that cyber risk management professionals are reporting difficulties across the board shows the complexity they face in trying to improve performance. It is encouraging that budget is being committed to tackling the problem but currently the treatment is not proportional to the scale of the risk faced and organisations are experiencing frequent breaches as a result. There is recognition that more investment is needed – budgets are rising, in fact the UK saw the highest expected increase – however the critical question UK organisations should be asking is where funds should be directed to make a tangible impact to reduce third-party cyber risk?”
Mix of tools and tactics in play
The survey investigated the tools organisations have in place to implement third-party cyber risk management and found a mix of approaches with no single approach dominating. Many UK organisations are evolving towards a data-driven strategy, with supplier risk data and analytics in use by nearly half (47%) of respondents. However static, point-in-time tactics such as on-site audits and supplier questionnaires remain common.
Split over third-party cyber risk ownership
47% of UK organisations think the CIO owns cyber risk while 38% say it belongs to the CISO and 11% say Chief Procurement Officers are responsible. This division over who ultimately owns cyber risk is causing issues around allocation of budget, resources and ultimately an organisation’s ability to remediate issues when they arise.
Robert Hannigan concludes: “Overall the research findings indicate a situation where the large scale of vendor ecosystems and the fast-changing threat environment is defeating attempts to effectively manage third-party cyber risk in a meaningful way. It is critical for UK organisations to decide who owns third-party cyber risk. Until this question is answered, it is impossible to adopt a coherent and effective strategy and make meaningful progress to manage it. Third-party cyber risk must be taken out of operational silos and integrated fully with the organisation’s overall risk management strategy with clearly defined lines of responsibility, reporting, and budget ownership.”
The full UK BlueVoyant research report: ‘Global Insights: Supply Chain Cyber Risk – Managing Cyber Risk Across the Extended Vendor Ecosystem’ is available here.