You can’t secure what you can’t see. And most respondents to our 2022 Canadian Digital Trust Insights survey seem to have trouble seeing their third-party risks—risks obscured by the complexities of their business partnerships and vendor/supplier networks.
Only 41% of Canadian survey respondents (40% globally) say they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments. Nearly a quarter in Canada and globally have little or no understanding at all of these risks—a major blind spot of which cyber attackers are well aware and willing to exploit.
Among our Canadian respondents, 54% expect an increase in reportable incidents in 2022 from attacks on the software supply chain (56% globally), but only 31% have formally assessed their enterprise’s exposure to this risk (34% globally). Fifty-nine percent expect a jump in attacks on cloud services (57% globally), but only 44% profess an understanding of cloud risks based on formal assessments (37% globally).
The “most improved” global organizations, on the other hand, have taken note and taken action. They’re 11x more likely to report a high understanding of their third-party risks. Some three-quarters say they’re highly knowledgeable about third-party dangers in five of six areas. Only in their knowledge of “nth-party” risks—those posed by their suppliers’ suppliers and so on, down the line—does the number dip: 69% for the “most improved,” 31% for the rest. Just as we’ve frequently seen in Canada, the more complex the connection, the harder it becomes to see the risks buried within.
Barely half of all Canadian respondents—between 27% and 51%—say they’ve responded to the escalating threats that complex business ecosystems pose (30% to 46% globally). The ones that have responded seem to be focusing their efforts primarily on today, perhaps at the expense of tomorrow. When asked how they’re minimizing their third-party risks, they gave largely reactionary answers: auditing or verifying their suppliers’ compliance (51% vs. 46% globally), sharing information with third parties or helping them in some other way to improve their cyber stance (41% vs. 42% globally) and addressing cost- or time-related challenges to cyber resilience (41% vs. 40% globally).
Only one top response—that they’re refining criteria for onboarding and ongoing assessments (43% vs. 42% globally)—could be considered proactive, offering benefits over the long term. Publicly listed organizations (46% vs. 47% globally) were more likely to claim this step.
Still, more than half have taken no actions that promise a more lasting impact on their third-party risk management. They’ve not refined their third-party criteria (57% vs. 58% globally), not rewritten contracts (66% vs. 60% globally) and not increased the rigour of their due diligence (61% vs. 62% globally).
The organizations that have had the best cyber outcomes over the past two years have consolidated tech vendors as a simplification move. Paring the number of tech and other third parties reduces complexity and increases your ability to know how secure they are. One benefit is that different functions (procurement, risk managers, fraud team, legal, security) can better understand their roles in protecting their supply chains from cyber disruptions. And with fewer vendors to monitor, your organization can more efficiently keep an eye on their security practices.
Visibility also means seeing which challenges others face and what they’re doing to meet them. Collaborators can be an important part of your cyber-business ecosystem. As we’ve seen in other jurisdictions, companies and federal agencies have benefited from public-private partnership and government responses to recent significant cyber incidents. Timely sharing of information matters for cybersecurity in general, critical infrastructure or not.
But fewer than one-third of global survey respondents said their public-private collaboration efforts are “very effectively” helping them achieve their cyber goals. Those that have had the best cybersecurity outcomes over the past two years, however, were 34x more likely to have achieved their public-private collaboration goals “very effectively.”
Globally, organizations increasing their cyber budgets in 2022 were significantly more likely to say they have achieved these goals “very effectively”: