Third-party vendors are companies’ Achilles’ heel

93% of firms have suffered a direct cybersecurity breach due to third parties.

You can spend your life and a lot of money trying to keep the enemy at bay from your cyber defences. You can invest huge sums and effort in the latest technology and developing the best training practices to ensure that employees know not to give away their password or to fall victim to phishing scandals.

But all the effort may be for naught, according to new research. Because third-party cyber vendors are often the weak link in the chain.

A staggering 93% of respondents to a mass survey of companies across the UK, North America, Germany, The Netherlands, and Singapore in a variety of different sectors said they had suffered a cybersecurity breach because of third party solutions. The survey, carried out by cybersecurity company BlueVoyant, polled 1,200 CIOs, CISOs and CPOs responsible for supply chain and risk management.

The findings were a stock check on the state of cybersecurity in business. And the findings weren’t the most promising.

In all, 97% of firms surveyed have been negatively impacted by a cybersecurity breach that occurred in their supply chain.

Separately, 93% told pollsters working for BlueVoyant that they have suffered a direct cybersecurity breach because of weaknesses in their supply chain.

Such third-party solutions are often seen as the most convenient way to try and ensure things are kept watertight when it comes to cybersecurity. Yet the reality is quite different: the average number of breaches experienced in the last 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-over-year increase.

Adam Bixler, Global Head of Third-Party Cyber Risk Management at BlueVoyant said: “Even though we are seeing rising awareness around the issue, breaches and the resulting negative impact are still staggeringly high, while the prevalence of continuous monitoring remains concerningly low. Third-party cyber risk can only become a strategic priority through clear and frequent briefings to the senior executive team and the board.”

Worryingly, that alarm bell ringing seems not to be heard by some companies.

Bizarrely, 13% of companies said that third-party cyber risk was not a priority for their organisation. Thankfully, that’s down from last year, when 31% of companies said that supply chain and third-party cyber risk was not on their radar. But the visibility over potential issues when they arise is still weak.

Less than ideal visibility

If and when a cybersecurity issue arises, you want to be sure that you can act quickly to try and tackle it. But that seems not to be the case for many organisations surveyed for BlueVoyant’s report. More businesses said this year – 38% - that they had no way of knowing when or if an issue arises with a third-party supplier’s cybersecurity, compared to 31% last year.

And despite the risks rising, and the numbers going in the wrong direction, it appears businesses have not increased their focus or attention on the issue.

The proportion of businesses saying the budget for third-party cyber risk management is increasing stayed flat in 2021 compared to 2020, at 91%. Yet it’s not just a case of throwing money at the problem.

“Budget increases demonstrate that firms are recognising the need to invest in cybersecurity and vendor risk management,” says Bixler. “However, the wide, yet consistent array of pain points suggests that this investment is not as effective as it needs to be. This, tied to the lack of visibility, monitoring and senior-level reporting, underscores a need for further improvement when approaching third-party cyber risk, in order to reduce the exposure of data before attackers take advantage of this.”