New research discovers companies are focusing on third-party cyber-risk

According to a report conducted by BlueVoyant, companies are more focused on third-party and supply chain cyber risk and are more aware of their vendor ecosystems than in 2020.

Last year, a surprising 31% of companies said that supply chain and third-party cyber risk was not on their radar. This year, by comparison, only 13% of companies said that third-party cyber risk was not a priority. In this year’s survey, it is clear priorities have shifted in response to a rapidly evolving cyber threat landscape.

The number of companies reporting a supply chain of more than 1,000 companies more than doubled from 14% in 2020 to 31% in 2021. At the same time, the number of companies reporting 500 vendors or fewer dropped from 29% to 22%. It is possible that supply chains exploded, but it is more likely that companies became more aware of the full extent of their vendor networks.

The frequency of assessing third-party risk and briefing senior management dropped from the 2020 survey to the 2021 survey. More companies in 2021 assessed their vendors less frequently. 47% audited or reported on vendor security no more than twice per year, compared to 32% in 2020. And the number of vendors practicing continuous monitoring also dropped, from 0.9% to 0.5%.

This year, many of the most damaging third-party cyber attacks occurred immediately after discovering new critical vulnerabilities. For example, the January 2021 cyber attacks that exploited weaknesses in Microsoft Exchange began within days of the exploits being discovered. Without continuous monitoring and rapid remediation, cyber attacks similar to this can leave organisations vulnerable to significant threats for an extended period of time. Third-party cyber risk management needs to be and can become, a strategic priority for the business by ensuring communications
around third-party cyber risk management is consistently communicated to senior management and the board.

Reports of budget increases matched figures from last year. 29% of companies reported budget increases of 26-50%; 42% reported increases of 51-100%; and 17% reported increases of 100% or more. Only 5% reported no increase and just 4% reported a decrease. While it is encouraging that companies are investing in third-party risk management,
the degree to which those investments are coordinated is unclear.

Companies report an almost equal distribution of pain points including reducing false positives, managing the volume of data, prioritising risk and knowing their own risk position. The fact that organisations are reporting so many similar issues indicated a high degree of commonality across different industries and region.

38% of respondents said that they had no way of knowing when or if an issue arises with a third party. 41% said if they did discover an issue in their third-party ecosystem that they informed their supplier but were unable to easily verify if the issue had been resolved.

For more information, visit: bluevoyant.com