The State of Supply Chain Defense in 2023

December 11, 2023 | 5 min read

Joel Molinoff

Global Head of Supply Chain Defense

Joel Molinoff Blog Headshot

Our Annual Global Insights Report revealed a rise in supply chain cyber breaches, but there was a notable increase in organizations’ budget, resources and focus on solutions deployed to address these threats. Have we reached a turning point?

If we learned anything from our annual State of Supply Chain Defense report, it’s that we need to continue to prepare for cyber breaches targeting third-party vendors, suppliers, and partners and focus on operationalizing the reduction of third-party risk. Our 2023 survey of C-level cybersecurity executives revealed that the number of supply chain cyber breaches continues to rise, with a reported average 4.16 vendor-related breaches negatively impacting operations this year — a 26% increase from the mean number of 3.29 breaches in 2022.

However, unlike our previous surveys, this year’s study also found that organizations are taking supply chain cybersecurity more seriously than ever before. Respondents report that 47% of their companies now monitor supply chain vendors monthly or more often (including in real time) versus 42% in 2022. Forty-four percent of organizations also report at least monthly briefings to senior management teams, up from 38% in 2022. Even more telling, 85% of organizations increased their budget in the past 12 months to address the increasing demands and attention paid to supply chain cybersecurity—and more than 50% of respondents said aspects of their third-party risk budget will increase next year.

“What types of solutions do you use to manage third-party cybersecurity risk?”



Now in our fourth year conducting this survey with Opinion Matters, we find ourselves questioning: have we reached a turning point? Many organizations have matured their third-party cyber risk management programs past the point of problem identification towards the deployment of several technologies, internal processes, and outsourced services to more fully address their challenges. Despite this, organizations are still caught off guard and negatively impacted by supply chain breaches like MOVEit,Cisco, and others.

Supply Chain Cyber Risk Coverage: The average number of third parties in organizations’ supply chains, compared to the number that are actively monitored and evaluated for cyber risk.



We don’t expect organizations to settle for a one-size-fits-all solution, either. This year’s report asked several new questions on how organizations refine their approach to supply chain cyber risk management with vendor tiers. For example, a concentration of high-risk vendors might warrant an approach that includes continuous monitoring and white glove end-to-end service, whereas for lower-risk vendors, less detailed monitoring and questionnaire management technologies may suffice. While the results still revealed some gaps in coverage, the good news is that we’re headed in the right direction.

As organizations look to mature their supply chain risk defenses in the next year and beyond, here are four recommendations to combat common pain points:

  1. Work with your suppliers to mitigate risk. The increasing number of supply chain breaches underscores the importance of actively working with suppliers to enhance security. Organizations that go beyond merely identifying risks, and maintain an ongoing dialogue with their vendors are, over time, more successful at resolving critical security issues resident at vendors they depend on.
  2. Regularly monitor, measure, and brief senior management on your third-party cyber risk posture. Despite improvements in this area, many organizations fail to track their program’s success using outcome-based metrics, such as quantifiable risk reduction. Mature programs will establish a risk-based analytic framework for the continuous monitoring and measurement of risk and provide frequent updates to leadership to ensure buy-in and oversight. The Microsoft Defense Report 2022 highlights the urgency, demonstrating that exploits can be available in just two weeks post-vulnerability disclosure. Tracking, responding to, and reporting on these issues in real time is key.
  3. Tier your third-party relationships and refine your cybersecurity priorities accordingly. Once vendor tiers are established, it's essential to apply appropriate cyber risk controls and technologies. Multiple levels of monitoring become important to cost effectively and efficiently manage various levels of vendor risk.
  4. Educate other business units about the risks of inaction. Over the past four years, a persistent challenge has been internal understanding of the role third-party suppliers play in overall cybersecurity. Fortunately, regulations in the U.S. and Europe will soon mandate greater oversight of supply chain cyber threats. Paired with an increase in budget to address supply chain cybersecurity, now is the perfect time to make sure your entire organization is on the same page and working towards the same security goals.

While we cannot expect the number of supply chain cyber attacks to decrease, we can hope that faster identification and remediation helps to soften their impact. We encourage you to learn more from the BlueVoyant team in the full The State of Supply Chain Defense: Annual Global Insights Report, including our analysis across countries and vertical sectors.

Disclaimer

2023: The research was conducted by Opinion Matters, among a sample of 300 respondents per territory (2,100 in total) CTOs/CSOs/COOs/CIOs/CISOs/CPOs (aged 18 and older) responsible for supply chain and cyber risk management working in companies employing 1,000-plus employees guaranteeing 50 respondents per industry sector per territory in the following: Financial services, Healthcare & pharmaceutical, Utilities & Energy (combined: equal split), Business services (i.e., professional services/legal and so forth), Manufacturing, and Defense: UK, US & Canada, DACH (Germany, Austria, Switzerland), France, The Netherlands, Singapore, APAC (Australia, Philippines). The data was collected between October 11 and October 20, 2023.

2022: The research was conducted by Opinion Matters, among a sample of 300 respondents per territory (2,100 in total) CTOs/CSOs/COOs/CIOs/CISOs/CPOs (aged 18 and older) responsible for supply chain and cyber risk management working in companies employing 1,000-plus employees guaranteeing 50 respondents per industry sector per territory in the following: Financial services, Healthcare & pharmaceutical, Utilities & Energy (combined: equal split), Business services (i.e., professional services/legal and so forth), Manufacturing, and Defense: U.S. and Canada (natural fallout), DACH (Germany, Austria, Switzerland) (natural fallout), France, U.K., the Netherlands, APAC (Australia, Philippines) (natural fallout), and Singapore. The data was collected between September 23 and October 4, 2022.

2021: The research was conducted by Opinion Matters, among a sample of 1,200 respondents (aged 18 and older) CTOs/CSOs/COOs/CIOs/CISOs/CPOs responsible for supply chain and cyber risk management working in companies employing 1,000-plus employees guaranteeing at least 50 respondents per industry sector per country in the following: Financial services, Healthcare & pharmaceutical, Utilities & Energy (combined: equal split), Business services (i.e., professional services/legal and so forth), Manufacturing, and Defense. U.S., Canada, Germany, the Netherlands, U.K. and Singapore. The data was collected between June 22 and July 6, 2021.

Opinion Matters abides by and employs members of the Market Research Society and follows the MRS code of conduct, which is based on the ESOMAR principles.

Related Reading