BlueVoyant, cyber defense platform company, has released the UK findings of its second annual global survey into third-party cyber risk management. They paint a stark picture with a staggering 97per cent of survey respondents having suffered a cybersecurity breach because of weaknesses in their supply chain.
This compares to 82 per cent of respondents who suffered a cybersecurity breach owing to vendor vulnerabilities in 2020. Not only is this higher than the overall average of 93 per cent in 2021, but the UK was also second highest out of all the regions surveyed. The UK was surpassed by European respondents in Germany and The Netherlands (grouped together), where 99 per cent reported supply chain-related cybersecurity breaches.
The study was conducted by independent research organisation, Opinion Matters, and recorded the views and experiences of 1,200 CIOs, CISOs and Chief Procurement Officers, with 300 respondents from the UK, in organisations with more than 1,000 employees across a range of industries including: business services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy, and defence. It covered six countries: US, Canada, Germany, The Netherlands, the United Kingdom, and Singapore.
A bleak picture of rising threats and low vendor risk visibility
Other key UK survey findings were equally stark:
- The average number of breaches experienced in the UK in the last 12 months grew from 2.64 in 2020 to 3.57 in 2021.
- UK firms are experiencing a higher-than-average percentage of breaches with 59% experiencing between 2 and 5 negatively impacted cybersecurity breaches compared to the 49% overall average. This has led to a corresponding decrease in the number of UK respondents reporting a single breach, with 33% overall compared to 42% overall.
- However, only 27% of UK respondents consider third-party cyber risk a key priority for their firm, compared to a 42% global average.
- Additionally, UK respondents are least likely to be aware of any risks in their supply chain, with 38% saying that cyber risk was not on their radar. This compares to 22% in North America, 23% in Singapore, and 31% in Germany and The Netherlands.
- At the same time, the number of companies reporting supply chains with more than 1,000 companies rose dramatically from 8% in 2020 to 43% in 2021. This means that the average vendor ecosystem in the UK now contains 3,715 third parties, a rise from 1,013 in 2020.
- Automation is key to effective risk monitoring and the use of vendor risk management programmes in the UK was lower than average (32% have a programme in place versus the overall average of 39%).
- 39% of UK respondents say they have no way of knowing if a cyber risk emerges in a third-party vendor, an increase on the 34% who said this in 2020.
James Tamblin, President of BlueVoyant UK, said: “It is concerning that UK firms are not prioritising supply chain cybersecurity risk, despite such a high prevalence of cyber breaches. I would have expected firms to be focusing urgently on addressing third-party cyber risk, especially bearing in mind that almost all the UK firms surveyed have experienced a breach via their supply chain – this should be sounding alarm bells and prompting immediate action. With supply chains stretched to the breaking point by the pandemic, many UK firms have had to diversify suppliers to build resilience, which could also be limiting visibility.”
Vendor monitoring frequency is rising in the UK
However, UK companies did fare better than counterparts in other territories when it comes to how frequently they reassess their vendors and brief the executive team on the results.
- The percentage monitoring weekly rose from just 4% in 2020 to 12% in 2021, while 35% are assessing monthly, a rise of 6% on last year.
- This year, only 29% of UK respondents report six monthly or less frequently compared to 47% of global respondents who audited or assessed vendor security no more than twice per year. Last year this figure for UK firms was much higher, with 40% saying that they only re-assessed either six-monthly or less frequently, therefore this is an improving picture.
James Tamblin added: “It was encouraging to see that UK firms are reporting more frequently on supply chain risk than they were last year. This is better than other countries surveyed. This positive approach to more regular supply chain auditing is promising. However, reporting and assessments could be much more effective if there was more expansive and rigorous awareness of cyber and third-party risk and more sophisticated programmes in place to deliver comprehensive and accurate data.”
Budgets are continuing to rise but is money being well spent?
While budgets in the UK are rising year-on-year, this raises questions around why this is not resulting in fewer breaches. Ninety-two percent say that budgets for third-party cyber risk management are increasing in 2021, up from 87% in 2020. In fact, 47% of organisations indicated budgets were rising by between 51-100% this year - up from 28% in 2020. However, the degree to which these investments are coordinated is unclear.
Surveyed UK companies report an almost equal distribution of pain points: managing false positives, managing the volume of data, prioritising risk, knowing their own risk position, among others. The fact that companies are reporting so many issues suggests that larger budgets are not resulting in risk reduction. There was a similar picture last year with multiple pain points being reported.
Robert Hannigan, Chairman of BlueVoyant International concluded: “Budget increases demonstrate that firms are recognising the need to invest in cybersecurity and vendor risk management. However, the fact that UK firms are not prioritising supply chain risk suggests that budgets are not being directed to where they will make the most impact. Additionally, with UK firms being so heavily targeted, how will they reduce the breach rate and drive down cyber risk in the face of such apparent apathy? Clearly there is a lot of work to be done.”
The full UK BlueVoyant research report: “Managing Cyber Risk Across the Extended Vendor Ecosystem” is available here.