<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

Analyzing Important Supply Chain Risk Management Data

Melissa Stevens | June 9, 2016

Surveys highlighting third-party security and supply chain risk management best practices are conducted regularly. Many of them draw a similar conclusion: that supply chain risk management is a critical issue IT professionals are aware of, but the awareness isn’t necessarily leading to actionable (or effective) programs and policies.

Below, we’ll walk through two recent surveys—one from Tripwire and one from Soha Systems—and analyze what IT security professionals can learn from this data. 

Tripwire Survey

Tripwire’s 2016 Breach Detection Survey interviewed IT professionals who have visibility into their supply chain and asked questions about their confidence (or perceived confidence) in the area of cybersecurity.

Over 80% of respondents said they are Reporting-Cybersecurity-To-The-Boardconfident in their organization’s ability to protect sensitive customer data, but only 53% said they are confident in the security of their business partners and suppliers. As many first-party organizations are a third-party to another organization, this is a clear contradiction—and goes to show how many organizations may erroneously believe that they have superior IT security practices in place.

When asked about whether their organization has less stringent security standards for smaller business partners or suppliers, only 50% said they have the same standards. The other 50% was split between “having clear guidelines for smaller partners” and making “exceptions on occasions for some partners.” Do you remember the high-profile Target breach? Its “small” vendor Fazio HVAC was hacked, compromising the data of 70 million customers. This goes to show that the size of the vendor makes little to no difference in the risk they present to you—but the level of access that vendor has to your network or data does.

Only 43% of organizations surveyed said they are currently conducting audits of their suppliers or third parties—but 65% said they wouldn't work with someone who didn't meet their security standards. Once again, this is a major discrepancy, highlighting a gap between those who say they have high standards and those who actually enforce them.

Soha Systems Survey

Soha’s Systems recently surveyed enterprise IT and security managers, directors, and executives nationwide about their confidence in handling third-party security and supply chain risk. Like the Tripwire survey, some of their findings were staggering.

According to the survey, 62% of organizations don’t believe that they are vulnerable to a cyberattack from their third parties, but 79% believe their competitors are. Of course, this is a major contradiction and simply doesn’t add up.

Only 8% of respondents think they might lose their job if a data breach occurs on their watch. This signals an interesting lack of accountability among IT professionals—and this idea that high-level employees are not being held accountable is unfounded. After the Target breach, many of Target’s board members were sued and an oversight committee recommended replacing the board, which caused a significant shift in the role of board members. Today, boards are understanding that they can be held liable for their company’s failure to adequately mitigate security risks.

Fifty-six percent of respondents have strong concerns about their ability to control and/or secure their own third-party access. This is another interesting dichotomy, because the vast majority of respondents don’t think they’re at risk for a third-party attack, but over half are concerned about controlling third-party access. Knowing who has access to your critical data is the first step and then controlling that access follows—so if you can’t control your access, your security isn’t going to be effective.

In Summary

Many conclusions can be drawn from these two surveys; one of the most critical is that IT security professionals are either not confident in the security of their partners or their own ability to evaluate those partners—or they’re confident without good reason.

If you know you want to put the right controls in place to mitigate your risk, but you’re unsure of where to start, check out Supply Chain Risk Management: Best Practices For Improved Cybersecurity. This two-part article will walk you through six best practices you should follow and uncover four ways you can properly address your cyber risk.

New Call-to-action

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...


Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...


New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.


Subscribe to get security news and updates in your inbox.