– While supply chain security impacts nearly every industry, new research from BlueVoyant hones in on the unique challenges impacting the healthcare and pharmaceutical sector
– BlueVoyant, the leader in supply chain defense, found thatcompared to other verticals like energy and manufacturing, the healthcare sector was least likely to increase budget for external resources to bolster supply chain cybersecurity.
Key Insights from. The State of Supply Chain Defense: Annual Global Insights Report 2022
BlueVoyant’s third annual global insights report focuses attention on how organisations are moving past problem identification and mitigating cyber risk challenges within supply chain vendors. The report also sheds light on the challenges identified by the respondents of 2022 in establishing internal and third party sourced functions and technologies for supply chain risk mitigation.
While organizations are generally making supply chain defense a priority, the news isn’t all good. The survey found that 40% of organizations still rely on their suppliers to ensure adequate security. Because risk is distributed throughout vendor ecosystems, relying on vendors to mitigate without any oversight will leave organizations vulnerable. This is reflected by the fact that 98% of respondents have been negatively impacted by a cybersecurity breach that occurred in their supply chain, versus 97% in 2021.
With traditional solutions, vulnerability and security issue identification has been the expected outcome — with a significant amount of false positives — but the holy grail has become risk reduction. How does an organization successfully mitigate risk within its supply chain once it’s identified? Answers to these poignant questions and further key insights from the report are listed and explained as follows:
1. Staying Informed of Risk: While a greater percentage of companies (29% in
2021 to 38% in 2022) said that supply chain cyber risk was not on their radar, we are nevertheless seeing an increased use of technology by organizations so they can better understand and be more informed of risk. While questionnaire use has been consistent, at just below 30% from 2020 through 2022, the increase in the use of security ratings services is up from 36% to 39%. This indicates that organizations progressively value continuous monitoring versus more static data analysis, while maintaining their questionnaire process to meet compliance requirements. Continuing on a trend from the past two years, the number of companies reporting a supply chain size of more than 1,000 companies has increased. In 2020, only 14% of all companies surveyed reported having more than 1,000 companies in their supply chains; in 2021 that number more than doubled to 38%, and in 2022 another substantial increase to 50% was seen.
2. Improved Vendor Risk Visibility: In 2021, 53% of companies audited or reported on supplier security more than twice per year; that number in 2022 has improved to 67%. While this is a positive trend, organizations that do not frequently examine supplier security remain vulnerable to emerging — including zero-day — attacks that often occur immediately after these vulnerabilities are disclosed. Without continuous monitoring and an accurate way to determine which suppliers are using a particular technology accompanied by rapid mitigation, damage from these threats can be devastating. In one month alone in 2022, the Zyxel Critical Authentication Bypass, VMware Remote Code Execution, and the compromise impacting Okta users all emerged. Continuous monitoring, the capability to assess which suppliers are affected, and a process to work with suppliers to mitigate exploits are all required for organizations to defend against supply chain cybersecurity threats.
3. Budget For Supply Chain Risk Rises: In terms of budget increases, 25% of respondents reported budget increases of 26-50%; 37% revealed increases of 51- 100%; and 20% signaled an increase of more than 100%. Only 11% indicated there was no increase, and just 4% said they had a decrease. Unfortunately, despite the reported increases in budgets, many organizations continue to be blind to cyber risk and unable to determine if an issue is remediated. That said, 40% of respondents said they had no way of knowing when or if an issue arises with a supplier. And 42% reported that if they do discover an issue in their supply chain ecosystem and inform their supplier, they cannot verify that the matter was resolved. They can only hope the supplier fixed it.
BlueVoyant’s report also includes key recommendations, such as:
1. Working With Suppliers to Improve Security Postures: Going into 2023 and beyond, working with suppliers and equipping them to address cyber risk should be a top priority. Assuming that your vendors are aware of their security posture and taking proactive steps, such as patching vulnerabilities, relying on trust alone is a risky path. Traditional approaches to monitoring supply chain risk, such as security ratings services, only alert organizations to vulnerabilities in their supply chain. It is left to the supplier to act on alerts, and mitigate vulnerabilities and risky behaviors. With a holistic approach that includes proactive outreach to the supply chain to work with individual suppliers, organizations gain broad visibility into their extended ecosystem. By that extension, they move beyond continuous monitoring to include risk reduction through direct contact with suppliers. While use of security ratings services has increased from 36% in 2020 to 39% in 2022, that upturn has not resulted in fewer organizations being negatively impacted by breaches that occurred in their supply chain.
2. Educating the Internal Team Around the Importance of Addressing Supply Chain Risk: One of the primary challenges in the creation of a comprehensive supply chain cyber risk program is organizational buy-in and budget allocation. Senior leadership, even those not involved with cybersecurity, must be able to understand that supply chain cyber risk is a critical aspect of business hazard that can represent major financial, reputational, and continuity damage. Educating your senior leadership team can come in the form of monthly or quarterly briefings that share your current risk posture and any issues to be aware of.
3. Integrating Continuous Supply Chain Monitoring and Reporting to the Board and Senior Leadership Team Early and Often: Point-in-time assessments, such as surveys, only reveal risk at that moment and are not sufficient. Using continuous monitoring in your supply chain defense strategy provides a dual advantage. First, organizations can maintain an adaptive understanding of the risk within their supply chain to ensure they are addressing the vulnerabilities that could compromise their own security posture. Second, frequent contact and visibility into supply chain environments helps eliminate blind spots where sensitive information might be unknowingly stored.