The State of Supply Chain Defense in 2022

Every year we take a critical look at the perspective of cybersecurity executives operating across key industries on a global scale. Now in its third year, our recently released annual report on supply chain vulnerabilities shows that organizations continue to face many of the same challenges in identifying weaknesses that can be exploited by cybercriminals to gain unauthorized access to an entity within their supply chains, and even more so in effectively mitigating them.

The data in this year’s survey revealed two troubling, but not entirely surprising trends: (1) supplier cyber risk has increased and (2) more organizations than ever reported being negatively impacted by a cybersecurity breach that occurred in their supply chains. So the question begs: how can organizations successfully mitigate risk within its supply chain once it's identified, and what methods are being used?

What We Learned: Supply Chain Risk Identification Isn’t the Problem

Let’s start with what we learned. First, companies are working to discover more about their supply chains. For instance, in 2020 only 14% of all companies surveyed reported having more than 1,000 companies in their supply chains; in 2021 that number more than doubled to 38%, and in 2022 we saw another substantial increase to 50%.

To this end, we are seeing organizations adopting more technology to monitor their suppliers, so they can better understand risk. While supplier questionnaire use has been consistent, at just below 30% from 2020 through 2022, the increase in using security ratings services is up from 37% to 39%. This indicates that organizations increasingly value continuous risk monitoring versus more static data analysis, while maintaining their questionnaire process to meet compliance requirements.

While use of security ratings services has increased, that upturn has not resulted in fewer organizations being negatively impacted by breaches that occurred in their supply chain.

While organizations are generally making supply chain defense a priority, the news isn’t all good. Our survey also found that 40% of organizations still rely on their suppliers to ensure adequate security. Because risk is distributed throughout vendor ecosystems, relying on vendors to mitigate without any oversight continues to leave even the most well-prepared organizations vulnerable to disruption.

Where We Go From Here: Adopting Effective Risk Reduction Strategies

The path forward is seemingly elusive. With traditional solutions, cyber vulnerability and security issue risk identification has been the expected outcome — but they have yet to deliver the holy grail of risk reduction.

As we’ve learned, this is a problem that won’t be solved with technology alone. Even with security ratings services, networking scans, and other technology solutions in place, 42% of respondents reported that if they do discover an issue in their supplier ecosystem and inform their supplier, and hope the supplier fixed it.

Working with third-party suppliers to improve their posture continues to be one of the primary pain points in managing supply chain cyber risk.

Leveraging a holistic approach that includes proactive outreach to the supply chain so it can work with individual suppliers, organizations gain broad visibility into their extended ecosystem. Equally important, organizations can then move beyond continuous monitoring to include risk reduction through direct contact with suppliers.

No matter the industry or region, we believe it has never been more evident that organizations’ risk is distributed across their supply chains. Therefore, it’s critical that the risks must be identified and mitigated.

Adam Bixler is BlueVoyant’s Global Head of Supply Chain Defense.

Disclaimer

2022: The research was conducted by Opinion Matters, among a sample of 300 respondents per territory (2,100 in total) CTOs/CSOs/COOs/CIOs/CISOs/CPOs (aged 18 and older) responsible for supply chain & cyber risk management working in companies employing 1,000-plus employees guaranteeing 50 respondents per industry sector per territory in the following: Financial services, Healthcare and pharmaceutical, Utilities and Energy (combined: equal split), Business services (i.e., professional services/legal and so forth), Manufacturing, and Defense: U.S. & Canada (natural fallout), DACH (Germany, Austria, Switzerland) (natural fallout), France, U.K., The Netherlands, APAC (Australia, Philippines) (natural fallout), Singapore. The data was collected between September 23 - October 4, 2022.

2021: The research was conducted by Opinion Matters, among a sample of 1,200 respondents (aged 18 and older) CTOs/CSOs/COOs/CIOs/CISOs/CPOs responsible for supply chain & cyber risk management working in companies employing 1,000-plus employees guaranteeing at least 50 respondents per industry sector per country in the following: Financial services, Healthcare & pharmaceutical, Utilities & Energy (combined: equal split), Business services (i.e., professional services/legal and so forth), Manufacturing, Defense. U.S., Canada, Germany, the Netherlands, U.K. and Singapore. The data was collected between June 22 - July 6, 2021.

2020: The research was conducted by Opinion Matters, among a sample of 1,505 respondents CIOs/CISOs/CPOs (aged 18 and older) responsible for supply chain and cyber risk management working in companies employing 1,000-pus employees in the U.K., U.S., Mexico, Singapore, and Switzerland. The data was collected between June 17-25, 2020.

Opinion Matters abides by and employs members of the Market Research Society and follows the MRS code of conduct which is based on the ESOMAR principles.