BlueVoyant released its
fifth
annual global survey into supply chain cyber risk management. The 2024
study demonstrates progress in third-party risk management (TPRM) as
respondents shifted focus from TPRM awareness and adoption to
enforcement and compliance. The survey results also highlight ongoing
investment in technology and talent to enhance supply chain security.
This year's study found 81% of organizations reported negative
impacts from supply chain breaches over the past twelve months, down
from 94% in 2023. While this is a marked improvement, the vast majority
of organizations are still reporting breaches.
"More organizations than any previous year indicated that their
primary focus is no longer on awareness of the third-party risk
management problem or adoption of a program, but rather with the
operational, day-to-day challenges of managing an effective program,"
said Joel Molinoff, global head of Supply
Chain Defense at BlueVoyant. "While this progress also brings many new
challenges, it indicates a major step in the right direction when
contrasted with previous years where many organizations had poor
tracking of third-party vendors, little to no leadership oversight, and
virtually no collaboration when it came to remediating cyber issues."
Despite budget increases and greater collaboration with suppliers,
organizations still struggle to combat supply chain threats. Key data
points observed in the report include:
- Increased budget and resources: 86% of respondents say TPRM budgets have increased.
- Increased collaboration with suppliers: More than 36% of
organizations - up from 19% in the prior year - say they have pursued a
far more active role in working with their suppliers each step of the
way to ensure remediation of identified cyber risks.
- Intense difficulty in healthcare: Of the six sectors
evaluated in the survey, healthcare and pharmaceutical companies
reported the highest rate (87%) of being negatively impacted by a breach
in their third-party ecosystem over the last twelve months. More than a
third of healthcare organizations (36%) reported having no means to
detect threats in third parties, also the highest rate across
industries.
- Monitoring and periodic vendor assessment need to take a higher priority: Only
32% of third-party vendors are reported to be regularly monitored
(1,459 suppliers out of a total of 4,510 on average in this survey). At
the same time, 50% of organizations say they do not periodically assess
all their vendors because of challenges related to resources,
technology, and expertise.
"Organizations are making progress in more frequent monitoring of
third parties, though challenges in reporting metrics to senior
management persist," said Brendan Conlon,
Global Director of Supply Chain Defense at BlueVoyant. "As information
security as an industry continues to mature, there will be more focus on
the tighter integration of multiple aspects of security operations.
This means that third-party cyber risk will inevitably be folded into
day-to-day SOC operations and wider risk management programs."