Dreamstime Images
Dreamstime L 154742527 5f7c9e50614da

4 Good Reasons to Include Vendors in Cyber Risk Assessments

Oct. 7, 2020
As cybersecurity threats increase, and become more sophisticated and nefarious, companies shouldn’t overlook their third-party vendors’ operations as a source of potential security breaches.

Download this article in PDF format.

With cybercrimes expected to cost the world $6 trillion a year by 2021 (up from $3 trillion in 2015), high-profile cybercrimes are making daily headlines. According to Norton, some of the newest cybersecurity threats this year include deepfakes (when artificial intelligence [AI] technology creates fake images and sounds that appear real); synthetic identities (when scammers use a mix of real and fabricated credentials to create the illusion of a real person); and the use of AI to mimic known human behaviors and trick people into giving up personal or financial information.

According to Symantec, supply chain attacks were up 78% in 2019 and aren’t expected to diminish anytime soon. As a result, supply chain cybersecurity remains a big focus area for many organizations. “Organizations without dedicated vendor or third-party risk teams oftentimes have difficulty assessing the posture of their supply chain,” Security Boulevard points out.

“The complexity created by increased digitalization, business growth, and third-party partnerships increases the need to protect sensitive information,” it continues, “including financial, personal, and strategic information such as intellectual property.”

The Threat is Real

According to a recent BlueVoyant survey, 92% of respondents have suffered a breach at the hands of a third-party in the past 12 months, with companies experiencing an average of 3.1 breaches within that time period. And 69% of respondents said they have limited visibility around their third-party vendors. In “Global Insights: Supply Chain Cyber Risk,” BlueVoyant highlights the different ways companies are managing cyber risk across those extended vendor ecosystems.

“Time and again, as organizations investigate the sources and causes of malicious cyberattacks on their infrastructures, they discover that more often than not, the attack vector is within the infrastructure owned by third-party partners,” BlueVoyant notes. “Organizations must be responsible for protecting not only their own networks and data, but also ensuring that the same protections are in place in their third-party partner systems. The risks are significant and growing, and the mandate is clear.”

BlueVoyant breaks down the four key reasons companies need to do more extensive assessments of their vendors’ cybersecurity risks as:

  1. Vendor-originated breaches are common. In the U.S., organizations have an average of 1,420 vendors in their ecosystems, and 33% of respondents said they had no way of knowing if a risk emerged in a third party. “These vendors are causing significant cyber risk with 92% saying they have suffered a breach in the last 12 months as a result of weakness in the supply chain,” BlueVoyant points out. “The high number of vendors and high percentage of organizations reporting breaches via the supply chain is proof that monitoring the extended supply chain is a large and growing challenge for U.S. organizations.”
  2. Vendor risk visibility and continuous monitoring are both low. According to BlueVoyant’s survey, 31% of firms monitor all vendors, leaving 69% without full visibility. Nineteen percent said they monitor only critical vendors while 16% said they monitor critical and top third-party vendors. “This leaves a long-tail of vendors entirely unmonitored,” it warns, “with risk potentially arising from any of them on a given day.”
  3. Patchwork of approaches creates operational drag. When it asked about the tools in place to implement third-party risk management, BlueVoyant found a mix of approaches with no single strategy dominating. “Many organizations are evolving towards a data-driven strategy, with supplier risk data and analytics in use by 43% [of companies],” it says. “However static, point-in-time tactics, such as on-site audits and supplier questionnaires remain common. The multiple approaches used by organizations also present a management challenge when it comes to integrating, analyzing, and prioritizing all the data.”
  4. Cybersecurity budgets are increasing, but multiple pain points diffuse areas for investment. The good news is that organizations are ramping up investment to tackle their cybersecurity issues. According to BlueVoyant, 86% of U.S. companies said their budget for third-party cyber risk management has increased compared to the prior 12 months. These budget increases will likely be partially allocated to headcount, it notes, with companies having an average of 10.8 people in their in-house teams. “Resources are clearly being dedicated to managing cyber risk,” the firm states, “but are they being directed where it matters?”

“There are signs of recognition that the problem needs to be addressed – budgets are rising, but if they are not allocated effectively in a way that gives visibility across the whole vendor ecosystem,” BlueVoyant adds, “U.S. companies will not be able to stem the tide of third-party vendor risk.”

Voice your opinion!

To join the conversation, and become an exclusive member of Supply Chain Connect, create an account today!