
A new survey finds 60 percent of surveyed UK and US cybersecurity leaders now admit that security risks originating from third parties and supply chain partners are ‘innumerable and unmanageable.’
The study from IO (which used to be ISMS online) shows 97 percent of cybersecurity leaders say they’re confident in their breach response, with 61 percent describing themselves as ‘very confident.’ Yet, that confidence contrasts dramatically with 61 percent of leaders who say their organization has suffered a third-party or supply chain attack in the past 12 months.
Among those who suffered a third-party or supply chain attack, 38 percent resulted in customer, employee or partner data breaches, 35 percent suffered financial losses or unplanned costs (e.g. remediation, fines, legal fees), and 33 percent faced temporary system outage or operational disruption. More than a third (36 percent) of organizations that suffered a customer data breach said they had experienced customer or partner churn or loss of trust as a result, while 28 percent faced heightened scrutiny from partners or suppliers.
“Cybersecurity leaders clearly recognize the importance of supply chain security, but many still underestimate how complex and interdependent modern supply networks have become,” says Chris Newton-Smith, CEO of IO. “This confidence needs to be matched by continuous action to avoid the domino effect across networks, impacting customer trust, finances, and operations.”
Despite the growing risks, only 23 percent of all respondents rank supply chain compromise among their top emerging threats, placing it below AI misuse, misinformation, and phishing.
Smaller firms seem to be especially vulnerable, among cybersecurity leaders within SMEs with up to 49 employees, 28 percent report supply chain disruption or cascading partner issues following a customer data breach, compared with 21 percent of large enterprises. This suggests smaller firms are less able to contain the fallout of third-party incidents, often due to limited resources, smaller security teams, and fewer formal risk processes.
“Attackers increasingly see smaller suppliers as soft entry points into larger targets,” adds Newton-Smith. “They may not be the ultimate prize, but they’re often the route into the larger organizations. Securing the entire supply chain is essential for national and commercial resilience.”
On a positive note 80 percent of organizations say they have already strengthened their third-party and vendor risk management practices in the last 12 months or longer, with a further 17 percent planning to do so in the next year. Meanwhile, 21 percent of leaders list strengthening vendor and third-party risk management among their top cybersecurity priorities for the next year, reflecting a clear shift toward long-term resilience planning.
You can get the full report from the IO site.
Image credit: mc_stockphoto.hotmail.com/depositphotos.com