BlueVoyant report shows decline in supply chain breaches

BlueVoyant has released its fifth annual global survey into supply chain cyber risk management, indicating progress in third-party risk management while breaches persist.

The 2024 study from the cyber defence company highlights a shift among organisations from awareness and adoption of third-party risk management (TPRM) to enforcement and compliance efforts.

Despite these advancements, the report shows that 81% of organisations experienced negative impacts from supply chain breaches over the past year, a decrease from 94% in 2023. This suggests most organisations continue to report breaches.

"More organisations than any previous year indicated that their primary focus is no longer on awareness of the third-party risk management problem or adoption of a program, but rather with the operational, day-to-day challenges of managing an effective program," said Joel Molinoff, Global Head of Supply Chain Defense at BlueVoyant.

"While this progress also brings many new challenges, it indicates a major step in the right direction when contrasted with previous years where many organisations had poor tracking of third-party vendors, little to no leadership oversight, and virtually no collaboration when it came to remediating cyber issues."

Findings show that although there is increased budgetary allocation and enhanced collaboration with suppliers, organisations still face difficulties in addressing supply chain threats. Data from the report reveal that 86% of respondents have increased TPRM budgets, while over 36%—up from 19% the previous year—reported more active collaboration with suppliers to ensure risk remediation.

Healthcare and pharmaceutical sectors emerged with the most significant challenges, with 87% of companies in these sectors reporting negative impacts from supply chain breaches. Over a third of these organisations, at 36%, lack capabilities to detect third-party threats, marking the highest rate of ineffectiveness across industries.

The survey also emphasizes a need for prioritizing monitoring and periodic assessment of vendors. Only 32% of third-party vendors, translating to about 1,459 out of an average of 4,510 surveyed, are regularly monitored.

Furthermore, half of the respondents indicated they do not periodically assess all vendors due to resource, technology, and expertise challenges.

"Organisations are making progress in more frequent monitoring of third parties, though challenges in reporting metrics to senior management persist," said Brendan Conlon, Global Director of Supply Chain Defense at BlueVoyant. "As information security as an industry continues to mature, there will be more focus on the tighter integration of multiple aspects of security operations. This means that third-party cyber risk will inevitably be folded into day-to-day SOC operations and wider risk management programs."

An independent market research organisation, Opinion Matters, conducted this global survey, involving 2,100 senior leaders responsible for supply chain and cyber risk management from diverse industries.

Research spanned across 11 countries in North America, Europe, and Asia Pacific.