Nearly every organization (98%) in a new survey of some 2,100 C-suite executives has been hit by a supply chain cyberattack in the last year, security provider BlueVoyant said in a newly released study.
The study gleaned data from interviews with chief technology officers (CTOs), chief security officers (CSOs), chief operating officers (COOs), chief information officers (CIOs), chief info security officers (CISOs), and chief procurement officers (CPOs) responsible for supply chain and cyber risk management in organizations of more than 1,000 employees across business services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy, and defense industries.
Greater Focus on Supply Chain Attacks
While the number of companies experiencing digital supply chain attacks has stayed relatively static year-over-year, the attention paid by organizations to that attack vector has increased, BlueVoyant said. Still, the New York-based cyber defender said, there’s a lot of room for organizations to better monitor suppliers and “work with them to remediate issues to reduce their supply chain risks.”
Here are some macro highlights from the survey:
- 40% of respondents rely on the third-party vendor or supplier to ensure adequate security.
- In 2021, 53% of companies said they audited or reported on supplier security more than twice per year. That number has improved to 67% in 2022. These numbers include enterprises monitoring in real time.
- Budgets from supply chain defense are increasing, with 84% of respondents saying their budget has increased in the past 12 months.
- The top pain points reported are internal understanding across the enterprise that suppliers are part of their cybersecurity posture, meeting regulatory requirements, and working with suppliers to improve their security.
More Survey Results
Here are some micro results from the survey:
- Healthcare and pharmaceutical was the third-highest vertical in terms of experiencing greater board scrutiny for supply chain risk at 42%. The sector also indicates the lowest likelihood to increase budget for external resources to bolster supply chain cybersecurity, by a margin of 7% below the next closest vertical.
- Healthcare and pharmaceutical is also the least likely of any vertical (34%) to have no way of knowing if an issue arises with a third party's environment.
- The energy sector was most likely to report negative impact from at least one supply chain breach in the last year (99%), but 49% are monitoring supply chain cyber risk regularly or in real time, and 44% are updating senior leadership monthly or more frequently. In addition, energy companies say they are increasing their budget for supply chain cyber risk by an average of 60%.
- In manufacturing, 64% of respondents say that supply chain cyber risk is on their radar and 44% say they have established an integrated enterprise risk management program.
James Rosenthal, BlueVoyant's chief executive and co-founder, offered some advice:
"While supply chain defense is a challenge, there are solutions for enterprises to better defend against this risk. Enterprises should continuously monitor their supply chain to be able to quickly remediate threats. As companies are being negatively impacted by supply chain disturbances, they must prioritize this risk with the appropriate budget."