Software supply chain weaknesses have become pervasive in the enterprise. That’s according to a new report from BlueVoyant, which today released the findings of its second annual global survey into third-party cyber risk management. The research reveals that 97% of firms have been negatively impacted by a supply chain cybersecurity breach, with 93% admitting that they have suffered a direct cybersecurity breach because of weaknesses in their supply chain.

“Even though we are seeing [a rise in] awareness around the issue, breaches and the resulting negative impact are still staggeringly high, while the prevalence of continuous monitoring remains concerningly low,” BlueVoyant global head of third-party cyber risk management Adam Bixler said in a statement. “Third-party cyber risk can only become a strategic priority through clear and frequent briefings to the senior executive team and the board. So long as it remains a line item only discussed once or twice a year — or less often — then cyber risk management will continue to languish from a strategic perspective until an inevitable cyber event leaks data, disrupts operations, or embarrasses the firm.”

BlueVoyant’s report, which was conducted by independent research organization Opinion Matters, surveyed 1,200 executives across companies in business services, financial services, health care and pharmaceutical, manufacturing, utilities and energy, and defense industries. Counterintuitively, the results reveal that while companies increased their cybersecurity budgets by 26% to over 100% in the past 12 months,  the average number of breaches grew even faster, from 2.7 in 2020 to 3.7 in 2021 — a 37% year-over-year increase.

The business services sector had the highest headcount in its cybersecurity and risk teams, while manufacturing companies were the least likely to identify supply chain and third-party cybersecurity risks as key priorities, according to BlueVoyant. Health care providers — 29% of which experienced 6 to 10 breaches in the past 12 months — showed the highest rate of third-party cyber risk awareness, meanwhile, with 55% identifying risk as a major concern.

Supply chain challenges

The BlueVoyant survey underlines the challenges that companies face with the expanding software supply chain. CrowdStrike cited supply chain attacks as a rising threat as far back as 2018 and believes that they will continue to be a major intrusion vector. Often taking the form of hardware or third-party compromises, these attacks provide malicious actors with the ability to propagate from a single intrusion point to multiple downstream targets of interest.

According to a recent Aqua Security report, 73% of respondents are confident in their ability to stop software supply chain attacks, but only 32% are confident in the runtime capabilities required to stop threats like Kinsing malware, which only downloads in runtime.

“Our research shows that there are large concentrations of unknown third-party cyber risk across vertical sectors, supply chains, and vendors worldwide and organizations are experiencing frequent vendor-originated breaches,” Bixler said. “While budgets are rising, the critical question is where funds should be directed to make a tangible impact to reduce third-party cyber risk. A lack of visibility, strategy, and monitoring means the situation is unlikely to improve until it gets the appropriate attention.”

Broadly speaking, the pandemic has had a major impact on cybersecurity. Cybercrimes now cost the world nearly $600 billion each year. Meanwhile, the World Economic Forum reports that the likelihood of identifying and prosecuting the perpetrators of cyberattacks in the U.S. has fallen to a dismal 0.05%.

Cyber investments are only likely to accelerate as hackers target newly digital businesses. Ransomware has increased 148% year-over-year with an estimated 2.9 million attacks so far in 2021, and the European Union Agency for Cybersecurity (ENISA) recently predicted a fourfold rise in supply chain attacks in 2021 over last year. High-profile incidents like the Colonial Pipeline shutdownJBS’ supply chain disruptions, and compromised servers at SolarWinds and Microsoft could drive a 12.4% increase of spending on global information security and risk management technologies to $150 billion this year.

VentureBeat

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more
Become a member