A staggering 97 percent of UK C-suite executives say they have been negatively impacted by a cybersecurity breach in their supply chain.
The figure remains the same since the survey was conducted in 2021. However, the average number of breaches reported in the UK in the last 12 months grew from 3.57 in 2021 to 4.26 in 2022.
The study, conducted by Opinion Matters for BlueVoyant, recorded the experiences of 2,100 chief technology officers (CTOs), chief security officers (CSOs), chief operating officers (COOs), chief information officers (CIOs), chief information security officers (CISOs), and chief procurement officers (CPOs), with 300 respondents from the UK.
Escalating supply chain threats and low risk visibility
Other key UK survey findings were:
- 50 percent of UK firms said they have been negatively impacted by between two and five cyber security breaches in their supply chain. This has led to a corresponding increase in the number of UK respondents who reported a single breach with 36 percent overall, compared to 33 percent overall in 2021.
- However, only 38 percent of UK respondents considered supply chain risk a priority. This is an improving picture from 2021, when only 27 percent of UK respondents considered supply chain cyber risk a key priority for their firm and compares more favourably to a 36 percent global average.
- That said, UK respondents were unlikely to be aware of all the risks in their supply chain, with 43 percent saying that cyber risk was not on their radar, compared to 38 percent in 2021. This compares to the 38 percent global average.
- When asked how frequently they re-assess third-party or supplier cybersecurity risk, the most common response (27 percent) by UK respondents was only every six months. Overall, 37 percent of UK respondents reported six monthly or less frequently — a worsening picture compared to 29 percent last year. In fact, this year only three percent say they monitor either daily or in real time.
- The use of vendor risk management programmes in the UK was lower than the global average; 36 percent have a programme in place versus the global 41 percent average. However, this was slightly higher than 2021 when only 32 percent of UK respondents said they had a programme in place.
- 37 percent of UK respondents said they have no way of knowing if a cyber risk emerges in a third-party vendor, a slight decrease from the 39 percent who reported this in 2021 and slightly lower than the overall 40 percent global average. However, it is still a clear indication of the complex challenges that UK firms must solve if they are to take control of supply chain risk.
James McDowell, managing director, BlueVoyant UK said: “Visibility into supply chain cyber security risk remains an ongoing problem, despite the continuing high prevalence of negative impacts from cyber security breaches in the supply chain. With the escalating threat landscape and number of high-profile incidents being reported, I would recommend firms focus more strategically on addressing supply chain cyber security risk.
“In the current volatile economic climate, the last thing any business needs is any further disruption to their operations, any unexpected costs, or negative impact on their brand. And while a higher proportion of firms say this is a priority, there is still a significant percentage who appear to be completely unaware of the risks in their supply chains. In today’s interconnected ecosystem, a risk to a supplier is a risk to your own business, therefore relying on vendors to mitigate without any oversight or control leaves organisations vulnerable.”
Monitoring of suppliers
The good news is that UK respondents are more likely to be monitoring critical or top-priority suppliers in their supply chain for cybersecurity risk (28 percent UK versus 24 percent global) but less likely to watch the long tail of all their third-party suppliers (14 percent UK versus 17 percent global).
Likewise, they are less likely to rely on vendors for adequate security (35 percent UK versus 45 percent global) and more likely to work with suppliers on every step until an issue is resolved (45 percent UK versus 40 percent global). Additionally, UK organisations are less likely to outsource supply chain defence, except for data analysis and results from monitoring, when compared to their global counterparts (48 percent UK versus 45 percent global).
Budgets are decreasing
UK respondents were less likely to report increased budgets for supply chain defence, despite recent attacks and more regulatory scrutiny. Only 79 percent of respondents said their budgets increased in the last 12 months, compared to 92 percent in 2021 and a global 84 percent average.
UK companies surveyed reported an almost equal distribution of managing pain points: too many false positives; overseeing data volume; prioritising risk; knowing their own risk position; among others. However, the biggest pain point cited: working with third-party suppliers to improve their security performance along with dealing with unresponsive third-party suppliers when there is a problem (23 percent, respectively).
“With UK firms being so heavily targeted, how will they reduce the negative impact of supply chain disturbances and drive down cyber risk with declining budgets?” said McDowell. “They must prioritise with the appropriate level of investment so that they can better monitor suppliers and drive down supply chain risk.”
