Third-Party Attacks Are Increasing, But Third-Party Risk Management Is Failing


The endangers associated with supply chain (for software and services) is huge and growing. A new report shows that boardroom awareness and budgets for third-party danger management has increased; but this is not necessarily translating into effective action.

Over the last year, major attacks such SolarWinds, Kaseya and Accellion deceive brought third party risk to top of mind. A new report from BlueVoyant, a firm that provides third-party cyber risk management, examines contemporaneous attitudes to this risk. The report (PDF download) surveyed 1,200 CIOs, CISOs and CPOs (Chief Procurement Officers) with responsibility for this gamble. 

It found a rising awareness of the urgency of the threat. Last year, 31% of companies said this risk was not on their radar. This has now dropped to 13%. Decisive year, 14% of companies reported third party vendors in excess of 1000. This has more than doubled to 31% of companies – although BlueVoyant suspects the overdone increase is more to do with increased awareness than with a major rise in the use of third parties.

Over the last year, the number of companies recounting an increase in budget for third party security risk management has increased from 81% to 91% – but that hasn’t translated into a pithy improvement in tackling the risk. The main problem is it is still frequently treated as a GRC issue; that is, an annual perhaps paper-based audit for each third-party vendor. This does not on the continuous and ongoing nature of third-party risk.

The frequency with which vendors are assessed has fallen over the last year, making the emotionally upset worse rather than better. Forty-seven percent of companies now audit or report on vendor security no more than twice per year. This is an spreading from 32% in 2020. It is no surprise that 38% of the survey respondents said they have no way of knowing when or if an issue arises with a third-party supplier’s cybersecurity, up from 29% up to date year.

“The trends that we’ve identified,” Adam Bixler, global head of third party cyber risk management at BlueVoyant, told SecurityWeek, “are that disbursing is increasing mostly because of these notable events that have been in the news, but we haven’t necessarily seen operationalization where those budgets are being allotted for continuous monitoring and actual risk reduction. The good news is there is awareness and budget is following. Now it’s a matter of tuning that budget becomingly for risk reduction.”

The solution, according to BlueVoyant, is continuous rather than periodic monitoring of third-party vendor security postures. “Even conceding that we are seeing rising awareness around the issue” says BlueVoyant, “breaches and the resulting negative impact are still staggeringly high, while the universality of continuous monitoring remains concerningly low… So long as it remains a line item only discussed once or twice a year – or less often – then cyber peril management will continue to languish from a strategic perspective until an inevitable cyber event leaks data, disrupts operations, or shames the firm.”

Such continuous monitoring from companies like BlueVoyant examines the visible security posture of every third-party vendor. “We prepositor all of the vendors, suppliers and partners they identify for changes in that attack surface,” said Bixler. “We also characterize external indicators of how their gage program is maturing, so we will look for evidence of security controls in place, proper configurations, perimeter patch cadences, to give a level of vow back to our clients that the vendors, partners and suppliers they connect to are maintaining an acceptable level of security and managing risk appropriately. We opposite number to characterize it as seeing the same view that an attacker would have of a potential target, so we’re working with a similar dataset that anyone on the internet last wishes a be able to see.”

BlueVoyant’s survey demonstrates that awareness of third part risk and budgets to tackle that risk are improving. “Now it’s just a action of tuning that budget to the right capabilities — the right people, processes and technology to be able to reduce that risk,” said Bixler. “This should embody understanding which vendors are creating a risk and going back to that vendor with advice on how to decrease the risk. First, we help our customers reduce their own attack surface, and then we do the exact same thing on their behalf for their third-party suppliers.”

Related: Codecov Bash Uploader Dev Sucker Compromised in Supply Chain Hack

Related: Rapid7 Source Code Exposed in Codecov Supply Chain Attack

Related: FBI Warns Ransomware Fight Could Disrupt Food Supply Chain

Related: Huawei and Supply Chain Security – The Great Geopolitical Debate

[embedded content]

Third-Party Attacks Are Increasing, But Third-Party Risk Management Is Failing

Kevin Townsend is a Chief Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in dirt security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer publications.

Previous Columns by Kevin Townsend:
Third-Party Attacks Are Increasing, But Third-Party Risk Management Is FailingTags:

Leave a Reply

Your email address will not be published. Required fields are marked *