The risks associated with supply chain (for software and services) is huge and growing. A new report shows that boardroom awareness and budgets for third-party risk management has increased; but this is not necessarily translating into effective action.
Over the last year, major attacks such SolarWinds, Kaseya and Accellion have brought third party risk to top of mind. A new report from BlueVoyant, a firm that provides third-party cyber risk management, examines current attitudes to this risk.
It found a rising awareness of the urgency of the threat. Last year, 31% of companies said this risk was not on their radar. This has now dropped to 13%. Last year, 14% of companies reported third party vendors in excess of 1000. This has more than doubled to 31% of companies – although BlueVoyant suspects the dramatic increase is more to do with increased awareness than with a major rise in the use of third parties.
Over the last year, the number of companies reporting an increase in budget for third party security risk management has increased from 81% to 91% – but that hasn’t translated into a meaningful improvement in tackling the risk. The main problem is it is still frequently treated as a GRC issue; that is, an annual perhaps paper-based audit for each third-party vendor. This does not reflect the continuous and ongoing nature of third-party risk.
