You can’t secure what you can’t see, and most respondents to the PwC 2022 Global Digital Trust Insights Survey seem to have trouble seeing their third-party risks — risks obscured by the complexities of their business partnerships and vendor/supplier networks.
Only 40% of survey respondents say they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments. Nearly a quarter have little or no understanding at all of these risks — a major blind spot of which cyber attackers are well aware and willing to exploit.
Among our respondents, 56% expect an increase in reportable incidents in 2022 from attacks on the software supply chain, but only 34% have formally assessed their enterprise’s exposure to this risk. Fifty-seven percent expect a jump in attacks on cloud services, but only 37% profess an understanding of cloud risks based on formal assessments.
The “most improved” organisations, on the other hand, have taken note and taken action. They are 11x more likely to report a high understanding of their third-party risks. Some three-quarters say they’re highly knowledgeable about third-party dangers in five of six areas.
Only in their knowledge of “nth-party” risks — those posed by their suppliers’ suppliers and so on, down the line — does the number dip: 69% of the “most improved,” 31% for the rest. The more complex the connection, the harder it becomes to see the risks buried within.
Fewer than half of all respondents — 30% to 46% — say they’ve responded to the escalating threats that complex business ecosystems pose. The ones that have responded seem to be focusing their efforts primarily on today, perhaps at the expense of tomorrow. Asked how they’re minimising their third-party risks, they gave largely reactionary answers: auditing or verifying their suppliers’ compliance (46%), sharing information with third parties or helping them in some other way to improve their cyber stance (42%), and addressing cost- or time-related challenges to cyber resilience (40%).
Only one top response — that they are refining criteria for onboarding and ongoing assessments (42%) — could be considered proactive, offering benefits over the long term. Publicly listed organisations (47%) were significantly more likely to claim this step.
Still, more than half have taken no actions that promise a more lasting impact on their third-party risk management. They’ve not refined their third-party criteria (58%), not rewritten contracts (60%), not increased the rigor of their due diligence (62%). Meanwhile, the “most improved” are five times more likely to have taken all seven actions listed.
Dependence on third parties continues to rise. The “transaction” costs within the enterprise of establishing multiple nodes of partnerships (where risks are hidden) have gone down, thanks to the ubiquity and lower cost of digital interactions via APIs.
Today’s trending cyber-attack target may be the most nefarious one yet: your supply chain of trusted vendors, suppliers and contractors. The weapon? A process many have taken completely for granted: the software update. The payoff? Ransom payments to cybercriminals, valuable intelligence to nation-states or training data sets for AI models to competitors. Over the past decade, vendors and hijacked updates accounted for 60% of software supply chain attacks and disclosures, according to The Atlantic Council. The European Union Agency for Cybersecurity (ENISA) predicted in a July 21, 2021 report that supply chain attacks would quadruple in 2021 over the number of 2020 attacks.
An organisation could be vulnerable to a supply chain attack even when its own cyber defences are good, with attackers simply finding new pathways into the organisation through its suppliers. Detecting and stopping a software-based attack can be very difficult, and complex to unravel. That’s because every component of any given software depends on other components such as code libraries, packages and modules that integrate into the software and are necessary for its operation.
The organisations that had the best cyber outcomes over the past two years have consolidated tech vendors as a simplification move. Paring the number of tech and other third parties reduces complexity and increases your ability to know how secure they are. One benefit is that different functions (procurement, risk managers, fraud team, legal, security) can better understand their roles in protecting their supply chains from cyber disruptions. And with fewer vendors to monitor, your organisation can more efficiently keep an eye on their security practices.
Gaining visibility into the web of third-party relationships and dependencies is a must. Top cybersecurity companies integrate solutions (real-time threat intelligence, threat hunting, security analytics, vulnerability management, intrusion detection and response) on broad platforms.
Finally, good habits go together. In our US Digital Trust Insights Survey, respondents with more advanced data trust practices stood out in multiple ways. They significantly reduced their number of third-party relationships, increased their monitoring, deepened their assessments of third parties and felt confident that their third-party risk management program had shown tangible benefits in the last two years — including increased cost savings, faster implementation of business initiatives, greater customer confidence and enhanced market power.
Visibility also means seeing which challenges others face and what they are doing to meet them. Collaborators can be an important part of your cyber-business ecosystem. Just ask the companies and federal agencies that benefited from the public-private partnership and government responses to significant cyber incidents early in 2021. Timely sharing of information matters for cybersecurity in general, critical infrastructure or not.
But fewer than one-third of survey respondents said their public-private collaboration efforts are “very effectively” helping them achieve their cyber goals. Those who’ve had the best cybersecurity outcomes over the past two years, however, were 34x more likely to have achieved their public-private collaboration goals “very effectively.”
Organisations increasing their cyber budgets in 2022 were significantly likely to say they have achieved these goals “very effectively”:
Share knowledge about new threats, approaches, and solutions in my peer set (38%)
Demonstrate avoidance of tangible financial losses (36%)
Activate public-private sector relationships for more effective responses to a cyber attack on our organisation (33%)
Promote broader awareness and upskilling of workforce (32%)
“Very effective” collaborators also include those in technology, media and telecommunications; those with more than $5 billion in yearly revenues; and, in terms of promoting broader cyber awareness and upskilling the workforce, female respondents.
For influencing governments and policymakers on proposed rules and regulations, smaller companies perceive that they are less effective than larger ones. Respondents from organisations with yearly revenues under $1 billion were significantly more likely to say they are “not very effective” at wielding this influence (7%), as opposed to 4% of those with revenues greater than $1 billion and 3% of those with $5 billion yearly revenues or higher.
For the COO and the supply chain executive
Map your system, especially your most critical relationships, and use a third-party tracker to find the weakest links in your supply chain.
Scrutinise your software vendors against the performance standards you expect. Software and applications that your company uses should undergo the same level of scrutiny and testing that your network devices and users do. The National Institute for Standards and Technology published minimum standards for software testing in July 2021.
After a fuller accounting of your third-party and supply chain risks, identify ways to simplify your business relationships and supply chain. Should you pare down? Combine?
For the CRO and CISO
Build up your technological ability to detect, resist and respond to cyber attacks via your software, and integrate your applications so you can manage and secure them in unison.
Establish a third-party risk management office to coordinate the activities of all functions that manage your third-party risk areas.
Strengthen your data trust processes. Data is the target for most attacks on the supply chain. Data trust and good third-party risk management go hand in hand.
Educate your board on the cyber and business risks from your third parties and supply chain.
Strategic Change Officer; Cybersecurity, Privacy and Financial Crime Markets Leader, PwC Canada
Tel: +1 416 947 8966