62% of U.K. respondents say third-party cyber risk management is either not a priority or only somewhat of a priority, despite the significant negative impact of cyber security breaches in their supply chain
LONDON, Nov. 10, 2022 /PRNewswire/ — BlueVoyant, an industry-leading cyber defence company that combines internal and external cyber security, today released the U.K. findings of its third annual global survey into supply chain cyber risk management. The research paints a stark picture, with a staggering 97% of U.K. survey respondents saying they have been negatively impacted by a cyber security breach in their supply chain. Digital supply chains are made up of the external vendors and suppliers who have access that could be compromised.
This statistic hasn’t improved in the 12 months since the survey was undertaken in 2021, when 97% of U.K. respondents also said they had suffered a negative impact because of weaknesses in supply chain cyber security in the previous year.
The study was conducted by independent research organisation, Opinion Matters, and recorded the views and experiences of 2,100 chief technology officers (CTOs), chief security officers (CSOs), chief operating officers (COOs), chief information officers (CIOs), chief information security officers (CISOs), and chief procurement officers (CPOs), with 300 respondents from the U.K., in organisations with more than 1000 employees across a range of industries. It covered 11 countries across North America, Europe, and Asia Pacific.
A Bleak Picture of Escalating Supply Chain Threats and Low Risk Visibility
Other key U.K. survey findings were:
- The average number of breaches reported in the U.K. in the last 12 months grew from 3.57 in 2021 to 4.26 in 2022.
- 50% of U.K. firms said they have been negatively impacted by between two and five cyber security breaches in their supply chain. This has led to a corresponding increase in the number of U.K. respondents who reported a single breach with 36% overall, compared to 33% overall in 2021.
- However, only 38% of U.K. respondents considered supply chain risk a priority. This is an improving picture from 2021, when only 27% of U.K. respondents considered supply chain cyber risk a key priority for their firm and compares more favourably to a 36% global average.
- That said, U.K. respondents were unlikely to be aware of all the risks in their supply chain, with 43% saying that cyber risk was not on their radar, compared to 38% in 2021. This compares to the 38% global average.
- When asked how frequently they re-assess third-party or supplier cyber security risk, the most common response (27%) by U.K. respondents was only every six months. Overall, 37% of U.K. respondents reported six monthly or less frequently — a worsening picture compared to 29% last year. In fact, this year only 3% say they monitor either daily or in real time.
- Automation is key to effective risk monitoring, but the use of vendor risk management programmes in the U.K. was lower than average; 36% have a programme in place versus the global 41% average. However, this was slightly higher than 2021 when only 32% of U.K. respondents said they had a programme in place.
- 37% of U.K. respondents said they have no way of knowing if a cyber risk emerges in a third-party vendor, a slight decrease from the 39% who reported this in 2021 and slightly lower than the overall 40% global average. However, it is still a clear indication of the complex challenges that U.K. firms must solve if they are to take control of supply chain risk.
James McDowell, managing director, BlueVoyant U.K. said: “Visibility into supply chain cyber security risk remains an ongoing problem, despite the continuing high prevalence of negative impacts from cyber security breaches in the supply chain. With the escalating threat landscape and number of high-profile incidents being reported, I would recommend firms focus more strategically on addressing supply chain cyber security risk. In the current volatile economic climate, the last thing any business needs is any further disruption to their operations, any unexpected costs, or negative impact on their brand. And while a higher proportion of firms say this is a priority, there is still a significant percentage who appear to be completely unaware of the risks in their supply chains. In today’s interconnected ecosystem, a risk to a supplier is a risk to your own business, therefore relying on vendors to mitigate without any oversight or control leaves organisations vulnerable.”
Monitoring of Suppliers
The good news is that U.K. respondents are more likely to be monitoring critical or top-priority suppliers in their supply chain for cyber security risk (28% U.K. versus 24% global) but less likely to watch the long tail of all their third-party suppliers (14% U.K. versus 17% global).
Likewise, they are less likely to rely on vendors for adequate security (35% U.K. versus 45% global) and more likely to work with suppliers on every step until an issue is resolved (45% U.K. versus 40% global). Additionally, U.K. organisations are less likely to outsource supply chain defence, except for data analysis and results from monitoring, when compared to their global counterparts (48% U.K. versus 45% global).
Budgets Are Decreasing
U.K. respondents were less likely to report increased budgets for supply chain defence, despite recent attacks and more regulatory scrutiny. Only 79% of respondents said their budgets increased in the last 12 months, compared to 92% in 2021 and a global 84% average.
U.K. companies surveyed reported an almost equal distribution of managing pain points: too many false positives; overseeing data volume; prioritising risk; knowing their own risk position; among others. However, the biggest pain point cited: working with third-party suppliers to improve their security performance along with dealing with unresponsive third-party suppliers when there is a problem (23%, respectively).
“With U.K. firms being so heavily targeted, how will they reduce the negative impact of supply chain disturbances and drive down cyber risk with declining budgets?” said McDowell. “They must prioritise with the appropriate level of investment so that they can better monitor suppliers and drive down supply chain risk.”
Learn more about the full global BlueVoyant research report: “The State of Supply Chain Defense: Annual Global Insights Report,” including analysis across countries and vertical sectors.
About BlueVoyant
BlueVoyant combines internal and external cyber defence capabilities into an outcomes-based, cloud-native platform called BlueVoyant Elements. Elements continuously monitors your network, endpoints, attack surface, and supply chain as well as the open, deep, and dark web for vulnerabilities, risks, and threats; and takes action to protect your business, leveraging both machine learning-driven automation and human-led expertise. Elements can be deployed as independent solutions or together as a full-spectrum cyber defence platform. BlueVoyant’s approach to cyber defence revolves around three key pillars — technology, telemetry, and talent — that deliver rock-solid cyber defence capabilities to more than 700 customers across the globe.
SOURCE BlueVoyant