Companies remain ill-equipped to understand the extent and nature of the threat to business from third-party vendors. The real challenge has emerged: getting supply chain vendors to consistently address risk promptly after being made aware of a vulnerability or security issue.
The top three challenges listed by respondents this year remain the same as in 2022. First is a lack of internal understanding across the business that third-party vendors and suppliers are part of their cybersecurity posture. Working with third-party suppliers to improve their security performance, has moved up to the second biggest pain point after ranking third in 2022. Meeting regulatory requirements and third-party cybersecurity compliance, which was ranked second in 2022, came in third place.
The study found that 47% of executives said they monitored their supply chain vendors monthly, a 5% increase from 2022. Forty-four percent of responders said they brief senior managers at least once a month on supply chain security threats, up from 38% in 2022.
Perhaps we are reaching a turning point in organizations’ focus on third-party cyber risk management. Eighty-five percent of those surveyed said that they have increased their budget for supply chain/third-party cybersecurity over the last 12 months, a 1% increase from the previous year. Only 6% of respondents said that they decreased their risk management budget over the last 12 months, which represents a 2% rise from 2022.
“We expect these positive trends to continue as the market matures,” wrote the report’s authors. “We also expect further refinement of the technologies and services necessary to address different tiers of third-party relationships, based on priority and criticality to an organization’s operations. While we cannot expect the number of cyberattacks to decrease, we can hope that faster identification and remediation helps to soften their impact.”
The supply chain threat monitoring company commissioned the survey in October 2023. A total of 2,100 responders representing various executive roles responsible for supply chain management and cyber risk took part in the study. The executives worked for organizations ranging from 1,000 employees to more than 25,000 employees.