Third-Party Attacks Are Increasing, But Third-Party Risk Management Is Failing
The risks associated with supply chain (for software and services) is huge and growing. A new report shows that boardroom awareness and budgets for third-party risk management has increased; but this is not necessarily translating into effective action.
Over the last year, major attacks such SolarWinds, Kaseya and Accellion have brought third party risk to top of mind. A new report from BlueVoyant, a firm that provides third-party cyber risk management, examines current attitudes to this risk. The report (PDF download) surveyed 1,200 CIOs, CISOs and CPOs (Chief Procurement Officers) with responsibility for this risk.
It found a rising awareness of the urgency of the threat. Last year, 31% of companies said this risk was not on their radar. This has now dropped to 13%. Last year, 14% of companies reported third party vendors in excess of 1000. This has more than doubled to 31% of companies – although BlueVoyant suspects the dramatic increase is more to do with increased awareness than with a major rise in the use of third parties.
Over the last year, the number of companies reporting an increase in budget for third party security risk management has increased from 81% to 91% – but that hasn’t translated into a meaningful improvement in tackling the risk. The main problem is it is still frequently treated as a GRC issue; that is, an annual perhaps paper-based audit for each third-party vendor. This does not reflect the continuous and ongoing nature of third-party risk.
The frequency with which vendors are assessed has fallen over the last year, making the problem worse rather than better. Forty-seven percent of companies now audit or report on vendor security no more than twice per year. This is an increase from 32% in 2020. It is no surprise that 38% of the survey respondents said they have no way of knowing when or if an issue arises with a third-party supplier’s cybersecurity, up from 29% last year.
“The trends that we’ve identified,” Adam Bixler, global head of third party cyber risk management at BlueVoyant, told SecurityWeek, “are that spending is increasing mostly because of these notable events that have been in the news, but we haven’t necessarily seen operationalization where those budgets are being applied for continuous monitoring and actual risk reduction. The good news is there is awareness and budget is following. Now it’s a matter of tuning that budget appropriately for risk reduction.”
The solution, according to BlueVoyant, is continuous rather than periodic monitoring of third-party vendor security postures. “Even though we are seeing rising awareness around the issue” says BlueVoyant, “breaches and the resulting negative impact are still staggeringly high, while the prevalence of continuous monitoring remains concerningly low… So long as it remains a line item only discussed once or twice a year – or less often – then cyber risk management will continue to languish from a strategic perspective until an inevitable cyber event leaks data, disrupts operations, or embarrasses the firm.”
Such continuous monitoring from companies like BlueVoyant examines the visible security posture of every third-party vendor. “We monitor all of the vendors, suppliers and partners they identify for changes in that attack surface,” said Bixler. “We also characterize external indicators of how their security program is maturing, so we will look for evidence of security controls in place, proper configurations, perimeter patch cadences, to give a level of assurance back to our clients that the vendors, partners and suppliers they connect to are maintaining an acceptable level of security and managing risk appropriately. We like to characterize it as seeing the same view that an attacker would have of a potential target, so we’re working with a similar dataset that anyone on the internet would be able to see.”
BlueVoyant’s survey demonstrates that awareness of third part risk and budgets to tackle that risk are improving. “Now it’s just a case of tuning that budget to the right capabilities — the right people, processes and technology to be able to reduce that risk,” said Bixler. “This should include understanding which vendors are creating a risk and going back to that vendor with advice on how to decrease the risk. First, we help our clients reduce their own attack surface, and then we do the exact same thing on their behalf for their third-party suppliers.”