UK firms lag on supply chain cyber risk awareness
Risk not on the radar for 44% of UK organisations, finds BlueVoyant
The vast majority of UK firms (97%) have been affected by a cybersecurity breach in their supply chains over the past year, according to research by cybersecurity firm BlueVoyant. Publishing a survey of 2,100 global c-suite executives from 11 countries, BlueVoyant said the findings highlight slow progress in tackling supply chain cyber risk at UK organisations.
Survey respondents in Europe – Germany, Austria, Switzerland, France and the Netherlands – reveal higher levels of awareness of supply chain cyber risks, the company added.
“The UK results show that reducing supply chain cyber risk remains a persistent problem,” BlueVoyant said. The level of cybersecurity breaches in the supply chain has remaining the same for the past three years. “UK businesses have struggled to move the dial on supply chain cybersecurity to date,” BlueVoyant said.
The UK poll reveals that 68% of respondents say supply chain cybersecurity risk is either not a priority or only somewhat a priority, from 62% in 2022, while 44% say supply chain cyber risk is not on their radar, up slightly from 43%.
A quarter of UK respondents incurred between six and ten breaches, up from 21% last year. The survey further finds that 37% of UK firms have no way of knowing if an issue arises with a supplier’s cybersecurity, tracking higher than the global average of 26%.
However, BlueVoyant said it has tracked some early signs of a growing focus on cybersecurity threats in supply chains among UK firms. Some markers have improved, with 46% of UK firms now monitoring third-party supplier risk at least monthly, up from 39%.
There is also growing requirements to brief senior management teams, with 44% now briefing at least monthly, up from 39% last year, compared with the global average of 47%. The average number of breaches originating at suppliers fell slightly for UK firms in 2023 to 3.91 from 4.26 in 2022. This is higher than the US and Canada but lower than peers in European and APAC.
“Increasing board oversight, growing budgets, and rising third-party monitoring frequency are reasons to anticipate a positive shift in the future,” BlueVoyant said.
Joel Molinoff, BlueVoyant’s global head of supply chain defence, said: “UK businesses are still struggling to make progress on reducing supply chain and third-party cyber risk. Awareness and prioritisation remain low and breach frequency is persistently high. However, there are positive signs around rising monitoring rates and increased frequency of senior leadership briefings that may signal the start of a more determined and dynamic approach.”
The survey finds that 87% of UK respondents expect that their budgets to protect against supply chain cyber risk will increase.
Survey respondents in Europe are more likely to be monitoring their third parties monthly or more frequently at 48%, and are the most likely to brief senior management on supply chain risks monthly or more frequently (46%).
The survey identifies differences between UK and global respondents’ leading pain points in managing supply chain cyber risk.
UK respondents name up-to-date visibility on their organisation’s current risk position as the top concern (22%), compared with 15% for global peers, followed by blind spots to detecting emerging risks at 20%, compared with 16% globally. UK respondents say understanding how to penalise third parties when they don’t respond or remediate issues is their third-biggest challenge in managing supply chain cyber risk.
However, global respondents report that their top three challenges are: internally understanding that third-party/suppliers are part of the company’s cybersecurity posture at 19%; working with third-party suppliers to improve their performance (17%); and meeting regulatory requirements and ensuring third-party cybersecurity compliance (16%).
Molinoff said: “UK organisations have identified clear pain points around supply chain risk visibility and managing supplier performance. They must now focus their energies on deploying methods that proactively illuminate and reduce cyber risk, delivering continuous coverage to eliminate blind spots and enabling supplier collaboration to remediate threats as soon as they emerge.”