SUPPLY CHAIN
only every six months . “ And just 3 % of them are able to monitor risk daily or in real time ,” he says .
“ A lot can happen in a week to take a supplier from compliant to high-risk ,” McDowell points out . “ So if you multiply that by the six months or more at which organisations are typically reassessing their vendors it is clear that the level of unmanaged risk is considerable .”
BlueVoyant ’ s research – conducted among 300 senior UK cybersecurity professionals – also found the average organisation had suffered more than four breaches in 2022 12 months , up from just over 3.5 breaches on average in 2021 .
“ This points to a huge visibility problem ,” says McDowell .” The majority of cyber risk in the digital supply chain is going undetected for long periods . This allows potential attackers ample time to infiltrate systems , island hop from one to another and launch destructive attack campaigns with little risk of being discovered .”
He adds : “ This means that most businesses are easy targets for attacks , and are exposed to the threat of operational disruption , financial losses and reputational damage during a time when economic uncertainties severely impact the chances of recovery .”
Cybersecurity vendor ecosystems can overwhelm firms McDowell says that , when it comes to supply chain cybersecurity many organisations “ are understandably stumped by the scale of the issue ”.
He adds that today ’ s vendor ecosystems are massive and complex , sometimes comprising thousands of suppliers with varying levels of access to a business ’ s systems and infrastructure . “ Monitoring all these using conventional methods , such as
surveys , generates a huge administrative burden and only provides limited assurance of a supplier ’ s cyber security posture at a single point in time ,” he says
McDowell says that although this “ ticks a compliance box it doesn ’ t offer a picture of evolving risk that helps the business adapt strategically to the threat environment ”. Typically , he says , businesses look more closely at top-tier suppliers , “ which are mainly those with whom it has strategic relationships . But they have less bandwidth to monitor the long tail of other suppliers ,”
50 April 2023