Eight in 10 firms have experienced a security breach in the past year © Getty Images
Eight in 10 firms have experienced a security breach in the past year © Getty Images

Why do 78% of firms not have full supply chain visibility?

Will Green is news editor of Supply Management
24 September 2020

A third of UK organisations have no way of knowing if cyber security risk emerges in a third-party vendor, according to a report.

The report, by BlueVoyant, said a global survey found 82% of UK organisations had experienced a security breach that originated from vulnerabilities in their “vendor ecosystem” in the past 12 months, but 34% have no way of knowing if risk emerges in a third-party vendor. This figure was the highest of all the countries surveyed.

The report said just 22% monitored their entire supply chain, “which means that 78% do not have full visibility”.

UK organisations had experienced an average of 2.6 security breaches in the past year, the survey found.

The survey involved 1,505 CPOs, chief information officers (CIO) and chief information security officers (CISO) at organisations with more than 1,000 employees across the US, UK, Mexico, Switzerland and Singapore.

Robert Hannigan, chairman of BlueVoyant International, said: “The lack of visibility into third-party suppliers is very concerning.

“82% of UK organisations have reported a cybersecurity breach caused by their supply chain in the past 12 months, which should be sounding alarm bells for UK plc. The research clearly indicated the reasons behind this high breach frequency: only 22% are monitoring all suppliers, and 40% – the highest percentage out of all countries surveyed – only re-assess their vendors’ cyber risk position six-monthly or less frequently.

“That means in the intervening period they are effectively flying blind to risks that could emerge at any moment in the prevailing cyber threat environment.”

Globally, the survey found the most common pain point with third-party risk management programmes was working with suppliers to improve security (21%) along with handling the volume of alerts (21%). Dealing with unresponsive suppliers (19%), onboarding and offboarding suppliers with rigour (both 18%), understanding how to penalise suppliers (18%), enforcing supplier service level agreements (18%), and real-time visibility on suppliers (17%) were also highlighted.

On discovery of a problem, 36% of organisations informed the supplier and hoped they fixed the issue. “This lack of control and proactivity when it comes to protecting the business is a matter of concern, but likely derives from the pressure under which teams operate – 17% say a lack of in-house resources is one of the biggest pain points they face,” said the report.

When it came to who held responsibility for third-party supplier risk, 40% of respondents said the CISO, 35% said the CIO and 15% said the CPO.

 Want to stay up to date with the news? Sign up to our daily bulletin.

CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates