The majority of large companies worldwide do not have a handle on third-party cyber risks in their supply chains, research by PricewaterhouseCoopers (PwC) has uncovered.
After surveying 3,600 C-suite executives, the researchers found that 60% do not have a thorough understanding of the risk of data breaches via third parties, while 20% have little or no understanding of the threat at all.
Notably, 56% of respondents said their organisations expect a rise in breaches through their software supply chain, yet only 34% have formally assessed their exposure to this risk. Similarly, 58% expect a jump in attacks on their cloud services, but only 37% understand these risks.
PwC said that third-party cyber risks are a “glaring blind spot” in an environment where 60% of the C-suite respondents anticipate an increase in cybercrime next year.
Sean Joyce, global and US cyber security and privacy leader at PwC US, said that organisations can be vulnerable to an attack even when their own cyber defences are good, adding: “A sophisticated attacker searches for the weakest link – sometimes through the organisation’s suppliers.
“Gaining visibility and managing your organisation’s web of third-party relationships and dependencies is a must. Yet, in our research, fewer than half of respondents say they have responded to the escalating threats that complex business ecosystems pose.”
Of the C-suite executives who took part in the survey, 62% were from companies with $1bn (£0.7bn) and above in revenues, while 33% were at organisations with $10bn or more in revenues.
Auditing or verifying suppliers’ compliance, sharing information with third parties or helping them improve their cyber stance in another way, and addressing cost- or time-related challenges to cyber resilience, where the most common ways that respondents had tried to minimise third-party risks.
But a majority had not refined their third-party criteria or rewritten contracts, nor increased the rigour of their due diligence to identify third-party threats.
The research also found that companies with CEO engagement in setting and achieving cyber goals were far more likely to have seen progress in their cyber security outcomes.
“The most advanced organisations see cyber security as more than defence and controls, but as a means to drive sustained business outcomes and build trust with their customers,” Joyce continued.
“As leaders of organisations, CEOs set the tone for focusing their cyber teams on bigger-picture, growth-related objectives rather than narrower, short-term expectations.”
Image credit: iStock
Author: Chris Seekings