97% have been negatively impacted by cybersecurity breaches in their supply chain in the past year as cyber risk visibility proves a key pain point
BlueVoyant, a cybersecurity company that illuminates, validates, and mitigates internal and external risks, today published the findings of its fourth annual global survey into supply chain cyber risk management. The U.K. results show that reducing supply chain cyber risk remains a persistent problem. A concerning 97% of surveyed U.K. organisations report suffering negative impacts from a breach in a third party or supplier partner in the last year, a figure that has remained the same for the past three years.
While U.K. businesses have struggled to move the dial on supply chain cybersecurity to date, the combined survey findings show evidence of growing focus. Increasing board oversight, growing budgets, and rising third-party monitoring frequency are reasons to anticipate a positive shift in the future.
The study was conducted by independent research organisation, Opinion Matters, among 2,100 chief technology officers (CTOs), chief security officers (CSOs), chief operating officers (COOs), chief information officers (CIOs), chief information security officers (CISOs), and chief procurement officers (CPOs), with 300 respondents from the U.K., in organisations with more than 1000 employees across a range of industries. It covered 11 countries across North America, Europe, and Asia Pacific.
Supply Chain Cybersecurity and Risk Visibility Problems Persist
Key findings from U.K. organisations include:
- The average number of supply chain/third-party originated breaches reported in the U.K. stood at 3.91, a slight drop from 4.26 in 2022 but still higher than 2021’s figure of 3.57. Twenty-five percent of respondents had suffered between 6 and 10 breaches, a rise from last year’s figure of 21%.
- Sixty-eight percent say that supply chain/third-party cybersecurity risk is either not a priority or only somewhat of a priority, a rise from 62% who said this in 2022.
- Risk awareness remains almost static. 44% of U.K. respondents saying that supply chain/ third-party cyber risk is not on their radar, compared with 43% in 2022.
- 37% of U.K. respondents say they have no way of knowing if an issue arises with a third-party/supplier’s cybersecurity. This figure is consistent with last year’s responses and is considerably higher than the global average of 26%.
- There are signs that monitoring frequency is improving. This year, 46% say they monitor third-party supplier risk monthly or more frequently, an increase from 39% who reported this frequency last year.
- Reporting frequency is rising. There is a growing requirement to brief senior management teams more regularly on third-party cybersecurity risk. Forty-four percent brief monthly or more frequently, among whom 8% brief daily. This is an increase on last year when 39% briefed monthly or more frequently and 5% briefed daily.
Joel Molinoff, BlueVoyant’s global head of Supply Chain Defence, said: “U.K. businesses are still struggling to make progress on reducing supply chain and third-party cyber risk. Awareness and prioritisation remain low and breach frequency is persistently high. However, there are positive signs around rising monitoring rates and increased frequency of senior leadership briefings that may signal the start of a more determined and dynamic approach.”
U.K. Budgets Are Recovering, Driven by High Profile Supply Chain Cyber Breaches
More U.K. organisations report budget growth this year, with 87% expecting budgets to rise, and the average expected increase at 57%. Last year, only 79% expected budgets to rise and the average increase was lower, at 51%.
The survey found that high-profile breaches are exerting an upward influence on budgets, with 51% of U.K. respondents expecting them to lead to more budget for internal resources to help protect against supply chain security issues and 52% believing it will result in more budget for external resources.
High-profile supply chain breaches have also prompted increased scrutiny and oversight from 42% of boards among the surveyed U.K. companies.
Pain Points Around Visibility and Managing Supplier Performance
Among the global research cohort, the top three pain points are internal understanding that third-party/suppliers are part of the company’s cybersecurity posture (19%); working with third-party suppliers to improve their performance (17%); and meeting regulatory requirements and ensuring third-party cybersecurity compliance (16%).
However, U.K. respondents reported a different range of pain points. The most common issue is getting up to date visibility into the organisation’s current risk position, reported by 22% in the U.K. compared to 15% globally. The second-most prevalent issue also relates to visibility, as 20% of U.K. respondents reported blind spots where the organisation doesn’t have the resources and visibility to spot emerging risks (16% globally). The third most common issue for U.K. respondents is understanding how to penalise third parties/suppliers when they don’t respond or remediate issues (19%).
On a related note, it seems U.K. businesses are prepared to be more proactive than global peers when it comes to managing supplier security performance; 22% say they work with the third-party/supplier each step of the way to rectify identified issues, compared to 19% globally.
Automation can help relieve the burden of managing cyber risk across large and complex supply chains, but most still prefer a mix of in-house or external analyst resources with automation used in certain areas. Fifty-four percent of U.K. respondents are taking this approach, while only 20% are using automation technology wherever possible.
Molinoff concludes: “U.K. organisations have identified clear pain points around supply chain risk visibility and managing supplier performance. They must now focus their energies on deploying methods that proactively illuminate and reduce cyber risk, delivering continuous coverage to eliminate blind spots and enabling supplier collaboration to remediate threats as soon as they emerge. With increasing budgets for internal and external support and growing focus among senior leaders, we expect to see investment in intelligent risk management solutions start to pay dividends. There is undoubtedly scope to introduce more automation and AI-powered solutions to manage third-party cybersecurity risk, and this is an area that U.K. companies should explore.”
Learn more about the full global BlueVoyant research report: The State of Supply Chain Defence: Annual Global Insights Report, including analysis across countries and vertical sectors.