BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor

In 2020, BlueVoyant’s inaugural 2020 Global Insights Report stated that managing third-party vendor cyber risk was fast becoming the defining cybersecurity challenge of our time.

In 2021, the cybersecurity landscape has proven that statement. Third-party cyber attacks have affected multiple industries in waves: Accellion, SolarWinds, Kaseya, and more. In some cases, a single breach in one vendor network has affected tens of thousands of companies. Accelerated by the worldwide rise of ransomware activity, cyber attacks on third-party vendors are cause for acute worry. As a result, the importance of cybersecurity has never been clearer.

This year, BlueVoyant commissioned its second annual survey: “Global Insights - Managing Cyber Risk Across the Extended Vendor Ecosystem” by reaching out to 1,200 CIOs, CISOs and CPOs responsible for supply chain and risk management. Here are some of the findings:

• 93% of respondents admitted that they have suffered a direct cybersecurity breach because of weaknesses in their supply chain
• 97% have been negatively impacted by a cybersecurity breach that occurred in their supply chain
• The average number of breaches experienced in the last 12 months grew from last year from 2.7 to 3.7 – a 37% year-over-year increase

The good news is that companies are more focused on third-party and supply chain cybersecurity. Only 13% of respondents said that third-party cyber risk was NOT a priority, a drop compared to last year when 31% of companies said that supply chain and third-party cyber risk was not on their radar.

Vendor Risk Visibility and Continuous Monitoring Remains Low

However, vendor risk visibility and continuous third-party monitoring remains concernedly low despite this heightened risk awareness. The frequency with which companies assess their vendors has fallen year-on-year: 47% audited or reported on vendor security no more than twice per year, compared to 32% in 2020. Additionally, 38% of respondents said that they had no way of knowing when, or if, an issue arises with a third-party supplier’s cybersecurity, compared to 29% last year.

This is despite substantial budget increases to tackle the problem. As in 2020, 91% say that budget for third-party cyber risk management will be increasing in 2021. Surveyed companies report an almost equal distribution of pain points: managing false positives; managing the volume of data; prioritizing risk; and knowing their own risk position, among others. The fact that companies are reporting so many issues suggests that larger budgets are not yet resulting in sufficient risk reduction. Currently, the treatment is not proportional to the scale of the risk faced and organizations are experiencing frequent breaches as a result.

Ultimately, third-party cyber risk can only become a strategic priority through clear and frequent briefings to the senior executive team and the board. So long as it remains a line item only discussed once or twice a year – or less often – then cyber risk management will continue to languish from a strategic perspective until an inevitable cyber event leaks data, disrupts operations, or embarrasses the firm.

Variations Across Industry Sectors

Analysis of the responses from different commercial sectors revealed considerable variations in their experiences of third-party cyber risk. The research shows that there are large concentrations of unknown third-party cyber risk across vertical sectors, supply chains and vendors worldwide, and organizations are experiencing frequent vendor-originated breaches. At the end of the day, auditing or assessing your supply chain every few weeks or months is not sufficient to stay ahead of agile, persistent attackers. Continuous monitoring and quick action against newly discovered critical vulnerabilities needs to become the essential condition for effective third-party risk management.

Who Owns Cyber Risk Management?

Finally, executive ownership was found to be a gray area. According to the survey, 47% of organizations think the CIO owns cyber risk while 38% say it belongs to the CISO, and 11% say chief procurement officers are responsible.

This division over who ultimately owns cyber risk is causing issues around allocation of budget, resources, and ultimately an organization's ability to remediate issues when they arise. Some feel it doesn’t matter where risk responsibility falls, so long as it’s at the C-suite level.

Overall, the research findings indicate a situation where the large scale of vendor ecosystems and the fast-changing threat environment is defeating attempts to effectively manage third-party cyber risk in a meaningful way. It is critical for organizations to decide who owns third-party cyber risk.

Until this question is answered, it is impossible to adopt a coherent and effective strategy while developing a meaningful progress to manage it. Third-party cyber risk must be taken out of operational silos and integrated fully with the organization's overall risk management strategy with clearly defined lines of responsibility, reporting, and budget ownership.

Without this strategic shift, organizations will remain exposed to unacceptable levels of unmanaged risk and breaches will be the inevitable result.