The devastating Target breach – the result of an earlier attack on the retail giant’s HVAC vendor – wasn’t an anomaly. New research from BlueVoyant found that 92 percent of U.S. organizations suffered a breach in the past 12 months as a result of weakness in their supply chain.
When four other countries (the U.K., Singapore, Switzerland and Mexico) are included in the research, 80 percent of the more than 1,500 CIOs, CISOs and CPOs suffered a third-party-related breach in the past 12 months. The respondents work for companies that employ more than 1,000 people across a range of industries including: business services, financial services, health care and pharmaceutical, manufacturing, utilities and energy.
Exacerbating the risk: organizations don’t understand what security measures members of their supply chain have in place with 69 percent admitting they don’t have full visibility into their vendors.
“Time and again, as organizations investigate the sources and causes of malicious cyber attacks on their infrastructures, they discover that more often than not, the attack vector is within the infrastructure owned by third-party partners,” said Debora Plunkett, who sits on the BlueVoyant board of directors and was formerly the NSA’s director of information assurance.
A third of the survey respondents said they had no way of knowing if a risk emerged in a third-party’s operations, while only 31 percent said they monitor all vendors, and only 19 percent monitor just critical vendors. (According to the report, U.S. organizations use an average of 1,420 vendors.)
“This leaves a long tail of vendors entirely unmonitored, with risk potentially arising from any of them on a given day,” the report said.
Many organizations fall short when it comes to assessing risk posed by their supply chains. Only 27 percent reassess and report on third-party cyber risks every six months or less frequently, meaning they spend at least half a year with no insight into the changing risk in their supply chain while 35 percent are reassessing and reporting monthly and 28 percent are doing this quarterly. Just nine percent reassess their third-party cyber risk on a weekly basis.
But organizations are upping their budgets to accommodate the risk posed by third parties. In the U.S., 86 percent of respondents said their budgets for third-party cyber risk management increased compared to the previous twelve months.
“It is very important to review the security of your vendors before you engage them, to make sure they are capable of meeting your needs or otherwise enhancing their controls before they are onboarded, said Phil Venables, a board member of Goldman Sachs and a senior advisor to the bank for risk and cybersecurity.
“But, it is equally important to establish an approach of continuous monitoring to help assure that such control continues to be in place over the life of the engagement,” he added.