Analyzing Important Supply Chain Risk Management Data

The Problem with Modern Supply Chains
Written by Melissa Stevens
Director of Digital Marketing & Demand

Surveys highlighting third-party security and supply chain risk management best practices are conducted regularly. Many of them draw a similar conclusion: that supply chain risk management is a critical issue IT professionals are aware of, but the awareness isn’t necessarily leading to actionable (or effective) programs and policies.

Below, we’ll walk through two recent surveys—one from Tripwire and one from Soha Systems—and analyze what IT security professionals can learn from this data.

Tripwire Survey

Tripwire’s 2016 Breach Detection Survey interviewed IT professionals who have visibility into their supply chain and asked questions about their confidence (or perceived confidence) in the area of cybersecurity.

Over 80% of respondents said they are

CISO Reporting to Board eBook

Get the inside scoop on the metrics that matter.

confident in their organization’s ability to protect sensitive customer data, but only 53% said they are confident in the security of their business partners and suppliers. As many first-party organizations are a third-party to another organization, this is a clear contradiction—and goes to show how many organizations may erroneously believe that they have superior IT security practices in place.

When asked about whether their organization has less stringent security standards for smaller business partners or suppliers, only 50% said they have the same standards. The other 50% was split between “having clear guidelines for smaller partners” and making “exceptions on occasions for some partners.” Do you remember the high-profile Target breach? Its “small” vendor Fazio HVAC was hacked, compromising the data of 70 million customers. This goes to show that the size of the vendor makes little to no difference in the risk they present to you—but the level of access that vendor has to your network or data does.

Only 43% of organizations surveyed said they are currently conducting audits of their suppliers or third parties—but 65% said they wouldn't work with someone who didn't meet their security standards. Once again, this is a major discrepancy, highlighting a gap between those who say they have high standards and those who actually enforce them.

Soha Systems Survey

Soha’s Systems recently surveyed enterprise IT and security managers, directors, and executives nationwide about their confidence in handling third-party security and supply chain risk. Like the Tripwire survey, some of their findings were staggering.

According to the survey, 62% of organizations don’t believe that they are vulnerable to a cyberattack from their third parties, but 79% believe their competitors are. Of course, this is a major contradiction and simply doesn’t add up.

Only 8% of respondents think they might lose their job if a data breach occurs on their watch. This signals an interesting lack of accountability among IT professionals—and this idea that high-level employees are not being held accountable is unfounded. After the Target breach, many of Target’s board members were sued and an oversight committee recommended replacing the board, which caused a significant shift in the role of board members. Today, boards are understanding that they can be held liable for their company’s failure to adequately mitigate security risks.

Fifty-six percent of respondents have strong concerns about their ability to control and/or secure their own third-party access. This is another interesting dichotomy, because the vast majority of respondents don’t think they’re at risk for a third-party attack, but over half are concerned about controlling third-party access. Knowing who has access to your critical data is the first step and then controlling that access follows—so if you can’t control your access, your security isn’t going to be effective.

In Summary

Many conclusions can be drawn from these two surveys; one of the most critical is that IT security professionals are either not confident in the security of their partners or their own ability to evaluate those partners—or they’re confident without good reason.

If you know you want to put the right controls in place to mitigate your risk, but you’re unsure of where to start, check out Supply Chain Risk Management: Best Practices For Improved Cybersecurity. This two-part article will walk you through six best practices you should follow and uncover four ways you can properly address your cyber risk.