Supply chain breaches impacted 97% of firms in the past year

Cyber security breaches that occurred in the supply chain have negatively impacted 97% of firms in the past 12 months, according to a recent BlueVoyant survey.

The firm surveyed 1,200 CIOs, CISOs, and chief procurement officers as part of its research for the Managing Cyber Risk Across the Extended Vendor Ecosystem report, which also found that 93% admitted they had suffered a direct cyber security breach because of weaknesses in their supply chain.

The number of organizations reporting a supply chain of over 1,000 companies more than doubled from 14% in 2020 to 31% in 2021. At the same time, the number of companies reporting 500 vendors or fewer dropped from 29% to 22%. The report said it is possible that supply chains rapidly increased, but it is more likely that companies became more aware of the full extent of their vendor networks.

The survey of IT leaders in organizations with more than 1,000 employees across a range of industries found the average number of breaches experienced in the past 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-on-year increase.

It revealed that only 13% of companies said that third-party cyber risk was not a priority, a drop compared to 31% of companies last year. Respondents who said they had no way of knowing when or if an issue occurs with a third-party supplier’s cyber security increased from 31% to 38%.

Additionally, 91% say the budget for third-party cyber risk management is increasing in 2021.

The research revealed that the health care sector exhibited the highest rate of third-party cyber risk awareness, and 55% said identifying risks was a key priority, compared to an average of 42% of all other respondents. However, this sector also reported high breach figures, with 29% reporting six to 10 breaches in the last 12 months, compared to a 19% average across all other respondents.

Manufacturing respondents were least likely to identify supply chain/third-party cyber security risk as a key priority and were most likely to be reporting on an annual basis only, according to the report.

“Budget increases demonstrate that firms are recognizing the need to invest in cybersecurity and vendor risk management. However, the wide yet consistent array of pain points suggests that this investment is not as effective as it needs to be,” said Adam Bixler, global head of third-party cyber-risk management at BlueVoyant.

“This, tied to the lack of visibility, monitoring, and senior-level reporting, underscores a need for further improvement when approaching third-party cyber risk, to reduce the exposure of data before attackers take advantage of this.”