An ISC2 survey reveals that organizations of all sizes and sectors struggle with a shared challenge: a lack of visibility across their expansive network of third-party vendors and partners.
In fact, 70% of respondents said their organizations are highly (i.e., very or extremely) concerned about cybersecurity risks in their supply chains. Concern is highest among respondents from enterprise organizations, where 82% report high levels of concern. In comparison, 57% of respondents from both small and medium organizations share this level of concern.
Key takeaways:
· Organizations that have experienced a cybersecurity incident originating from a third-party vendor or supplier are significantly more likely to report high levels of concern (75% are very or extremely concerned vs. 63% among those without such incidents).
· Similarly, organizations that provide software, digital services or managed solutions to other businesses are more likely to express concern compared to those that do not (72% are very or extremely concerned vs. 65%, respectively).
· 82% of financial services organizations report being very or extremely concerned, compared to 70% across all organizations. 67% report being very or extremely concerned about cybersecurity risks in their supply chain.
· The survey found that 28% of participants said their organizations have experienced a cybersecurity incident originating from a third-party vendor/supplier in the past two years. Rates are highest within enterprise organizations, where 34% of respondents revealed that their organizations experienced a third-party vendor/supplier incident. Over one-third (37%) of those employed in financial services organizations said their organizations had been impacted in the past two years, significantly higher than other sectors (e.g., IT services at 20%).
· 47% of participants said their organizations were not impacted directly when their suppliers had a cybersecurity incident.
· Enterprise organizations are more likely to have experienced a cybersecurity incident originating from a third-party vendor or supplier, with 34% reporting being impacted in the past two years.
· When asked what they think is the biggest challenge in securing the supply chain against cyber threats, respondents highlighted the lack of visibility, transparency or control of suppliers as dominant challenges to securing supply chains.
· Nearly two-thirds of respondents said that data breaches are the most disruptive cybersecurity threat (64%) to their organization’s supply chain. Malware or ransomware rank second, at 52%, while software vulnerabilities in supplier products rank third, at 51%. While percentages are comparatively lower for unauthorized access through third-party credentials and lack of visibility into supplier cybersecurity practices, more than one-third also rank these as disruptive threats (37% and 35%, respectively). Supply chain threats are not necessarily external ones; 29% rank insider threats from vendors as being disruptive for their organizations.
· One of the biggest challenges customers face with their supply chains is a lack of information about the inherent risk a supplier or a downward chain of suppliers poses to the organization.
· Most organizations (70%) conduct third-party risk assessments on a regular schedule, such as at the time of contract renewal or annually. Additionally, 49% of organizations take a close look during initial evaluation/onboarding, 26% when incidents have occurred and 25% when monitoring tools alert them to a third-party threat.
· Organizations evaluate the cybersecurity practices of their suppliers at varying intervals: 45% conduct assessments annually, 10% semi-annually, 17% quarterly, and 12% monthly. Notably, evaluation frequency does not differ significantly by organization size or industry.
· Among survey respondents, 9% said their organizations evaluate supply chain vendors only during initial onboarding, highlighting a crucial issue.
· Over three-quarters (77%) of participants cite compliance with standards (e.g., ISO 27001, NIST, SOC 2) as their top requirement, followed by security audits/attestations/assessments (71%), multi-factor authentication/secure access protocols (62%) and incident response and breach notification procedures (61%). Only 5% said their organizations do not require any controls.
· Over half (54%) of respondents report that their organization has a dedicated risk management program. This percentage jumps significantly to 70% when looking at enterprise organizations. Specifically, 20% rely on contracts/service level agreements (SLAs), while 16% address risks on a case-by-case basis. In addition, 10% have no formal program or approach to managing supply chain risk, of which 8% are in the process of developing one, while 2% currently have no formal program and no plans to develop one.
