In recent years, businesses have seen their supply chains impacted by trade disputes, geo-political upheaval, Brexit and a global pandemic. In the midst of this disruption, cybercriminals have taken advantage of supply chain vulnerabilities for financial gain.

Last year showed no shortage of supply chain-related cyber incidents, with victims reportedly ranging from NHS 111 vendors to private companies like DoorDash, and, more recently, Uber. With these vendor ecosystems growing at an exponential rate, risk visibility and risk mitigation should be a priority for all.

The risk potential of a complex and unmonitored supply chain is staggeringly high for UK organisations. BlueVoyant's latest Supply Chain Defence report, which surveyed more than 2,100 organisations regarding their supply chain defence practices, found that 97% of UK respondents had been negatively impacted by a cybersecurity breach that occurred in their supply chain in the 12 months between September 2021 and September 2022. Worse still, only 79% of UK organisations reported an increased budget for supply chain cyber risk management in the last 12 months, below the global average.

Supply chain cyber incidents can affect business operations in a number of ways, which can be broken down into a ‘risk trinity’. For organisations looking to properly evaluate third-party cyber risk and prioritise supply chain risk management spending, having a clear idea of the impact of these incidents is essential.

SUPPLY CHAIN 'RISK TRINITY'
The fallout of supply chain cyber incidents typically comes in three main forms. Organisations need to ensure that they are secured against each layer of supply chain cyber risk to mitigate disruptions and data breaches within their own networks.

The first category is when a core supplier suffers its own cyberattack, preventing it from delivering essential products and services. Even if the core organisation avoids any data breaches of their own in these attacks, the resulting disruption within the supply chain can cause financial and reputational damage as customers receive a slower, or suspended, service. This is best demonstrated by the 2017 cyberattack on Maersk, which had a global ripple effect for a number of supply chains.

The second form of supply chain cyberattack is perhaps the one we are most familiar with. It occurs when an organisation experiences a breach because of a vulnerability within a supply chain partner, which allows malicious actors to move laterally from the supplier's network into the organisation itself. Think of the SolarWinds hack in 2020, in which attackers penetrated thousands of organisations and some US federal departments through the IT vendor.

The third category within the risk trinity comes when an organisation suffers a breach because of a vulnerability within a third-party product used in its own operation. Many cybersecurity professionals will remember the far-reaching disruption of the Log4j vulnerability in late 2021 and earlier this year, as a prime example of this, in which a weakness in the open source software triggered "significant impacts" for 20% of organisations.

When looking at the three main categories of third-party cyber risk, it becomes clear that continuously monitoring-and driving risk reduction-across an organisation's vendor ecosystem should be a key priority of organisations seeking resiliency in 2023 and beyond. And yet, looking ahead to 2023, many organisations are facing real-time budget cuts or restraints, due to high inflation and a looming recession.

PRIORITISING THIRD-PARTY CYBER RISK
Even when organisations understand the value of monitoring supply chain cyber risk, tightening budgets often limit the scope of how many suppliers an organisation can assess. This means that some high-risk suppliers are omitted from assessments because of financial constraints, or that assessments happen less often than they should.

Our research has highlighted that UK respondents were less likely to monitor all suppliers for cyber risk, with only 14% of UK organisations reporting that they monitor the full supply chain, compared to 17% globally. This means that 86% of UK organisations fail to have full visibility into their own vendor ecosystems.

By first understanding the number of high-risk suppliers that need reviewing, organisations can best prioritise their energy and budget for third-party cyber risk management.

The risk exposure of supply chain partners can be based on a few factors: what products or services do they provide? What data do they have access to? What regulatory requirements apply to their industry? And do they have direct connectivity to internal systems? Identifying mission-critical suppliers, for example, can mitigate organisational disruption and allows organisations to pursue dual or even multi-sourcing strategies if needed.

An internal discovery process is also essential to this risk assessment, allowing organisations to understand what third-party products exist in their operational environment and which aspects of the business they support.

Lastly, organisations should reassess their current vendor contracts and ensure that contractual clauses are fit for purpose given the calculated level of risk or regulatory environment.

START OF A NEW STRATEGY
Through in-house or outsourced capabilities, these first steps allow for a base level of supply chain risk assessment. This is a great start, but, for many businesses, the IT and cybersecurity talent shortage leaves overstretched teams struggling to ensure these vendors are monitored frequently enough to effectively mitigate third-party cyber risk.

Outsourcing to specialist third-party risk cyber management services allows these organisations to continuously monitor their external supply chain attack surface to anticipate future risk and act quickly to remediate risks when new vulnerabilities emerge, essentially moving from cyber risk identification to cyber risk defence. When risks are discovered, these services can ensure that third parties are not only notified of vulnerabilities, but supported throughout remediation.

As supply chains continue to grow, third-party cyber risk management can feel like a mammoth task, but it is essential that it is viewed as a priority. Regardless of an organisation's cyber security posture, it is only as secure as its weakest link. As highlighted by the UK's 2022 National Cyber Strategy, taking the first steps to ensure that mission-critical and high-risk supply chain partners are cyber secure is fundamental to building true operational resiliency in 2023.