By the Numbers: Supply Chain Cyber Security Risk

Risk amongst third-party vendors is a growing concern in 2020. As internal security efforts have increased, cyber criminals are targeting an organization’s supply chain seeking personally identifiable information (PII), intellectual property (IP), and other sensitive data.  

As a result, in the last 12 months, organizations in the United States have experienced an average of 3.1 breaches resulting from vulnerabilities within a third party. 

To begin understanding what leads to vendor related breaches, it is worth looking at the average amount of vendors within an organization’s supply chain.  

Across all industries, the average number of vendors per organization is 1420, with nearly half at 49% reporting 501-1000 vendors. Almost a third of organizations at 29% have at least 100-500 vendors to monitor. Up to 14% of organizations have 1001-10000 vendors within their supply chain. 

With a substantial number of third parties per organization, it’s no surprise that breaches may happen more frequently among vendors than an organization itself. 

57% of organizations report that they have experienced between 2 and 5 breaches within their supply chain. 10% have experienced more than that, between 6 and 10 breaches with this number steadily growing. At least a quarter of organizations have suffered at least 1 vendor breach. 

Looking at vendor monitoring trends helps understand why the lack of a mature third-party risk management process leaves so many organizations open to multiple breaches. Only 31% of organizations say they monitor all vendors, while 19% monitor only critical ones, and 16% limit their monitoring activity to critical top vendors. 

It is evident that visibility is a constant struggle for many organizations, with 69% claiming limited visibility of their third-party cyber security risk while 33% have no way of knowing about any potential vulnerabilities or risks in their supply chain. 

As seen in our analysis of breaches in healthcare, costs are rising in general as organizations deploy more proactive security practices. However, some of the highest cost factors are realized in response to a breach.  

After a breach, organizations scramble to implement security programs, monitoring processes, consulting services, and more. Many don’t even have a Chief Information Security Officer (CISO) or security teams and establish them as one of their immediate mitigating actions post-breach. 

With all these cost factors in play, organizations are seeing budget increases of 45% to not only respond to breaches, but also to drive security program development and implement third-party risk management activities. 

Effective security starts with visibility of your attack surface. There are threats you can’t see, let’s find them.

Effective security starts with visibility of your attack surface. There are threats you can’t see, let’s find them.

Security Recommendations 

While ensuring the organization has an effective and mature third-party risk management process in place is the ultimate way to be secure, there are a few things organizations can do before-hand to begin reducing cyber security risk. 

An immediate action is to ensure that the organization’s procurement and security teams develop a collaborative relationship with clear workflows to avoid vendors slipping through the cracks. 

One of the first projects for both teams will be to identify which vendors have access to the organization’s data or environment. Deactivate any vendors that are not currently being utilized and classify the rest of your vendors to ensure more attention is given to critical or top third parties. Any deactivated vendors should then go through a proper on-boarding process once they are needed again. 

The next step is to implement an on-boarding process that includes assessing cyber security risk within any vendors wanting to do business with the organization. Most organizations already have some form of vendor onboarding that includes financial, quality, or delivery risks. Adding cyber security risk to the process is a logical next step. 

Lastly, monitoring vendors is an area that will be dictated by available resources and budget, but an organization’s efforts are in vain without a way to continuously monitor the supply chain and improve upon their third-party risk management efforts. Continuous improvement within internal processes helps pave the way to a more secure organization and supply chain. 

Download full infographic!

Download full infographic!

Building a third party risk management program? Get expert tips and insight.

Building a third party risk management program? Get expert tips and insight.