Connect with us

Hi, what are you looking for?


Risk Management

Third-Party Attacks Are Increasing, But Third-Party Risk Management Is Failing

The risks associated with supply chain (for software and services) is huge and growing. A new report shows that boardroom awareness and budgets for third-party risk management has increased; but this is not necessarily translating into effective action.

The risks associated with supply chain (for software and services) is huge and growing. A new report shows that boardroom awareness and budgets for third-party risk management has increased; but this is not necessarily translating into effective action.

Over the last year, major attacks such SolarWinds, Kaseya and Accellion have brought third party risk to top of mind. A new report from BlueVoyant, a firm that provides third-party cyber risk management, examines current attitudes to this risk. The report (PDF download) surveyed 1,200 CIOs, CISOs and CPOs (Chief Procurement Officers) with responsibility for this risk. 

It found a rising awareness of the urgency of the threat. Last year, 31% of companies said this risk was not on their radar. This has now dropped to 13%. Last year, 14% of companies reported third party vendors in excess of 1000. This has more than doubled to 31% of companies – although BlueVoyant suspects the dramatic increase is more to do with increased awareness than with a major rise in the use of third parties.

Over the last year, the number of companies reporting an increase in budget for third party security risk management has increased from 81% to 91% – but that hasn’t translated into a meaningful improvement in tackling the risk. The main problem is it is still frequently treated as a GRC issue; that is, an annual perhaps paper-based audit for each third-party vendor. This does not reflect the continuous and ongoing nature of third-party risk.

The frequency with which vendors are assessed has fallen over the last year, making the problem worse rather than better. Forty-seven percent of companies now audit or report on vendor security no more than twice per year. This is an increase from 32% in 2020. It is no surprise that 38% of the survey respondents said they have no way of knowing when or if an issue arises with a third-party supplier’s cybersecurity, up from 29% last year.

“The trends that we’ve identified,” Adam Bixler, global head of third party cyber risk management at BlueVoyant, told SecurityWeek, “are that spending is increasing mostly because of these notable events that have been in the news, but we haven’t necessarily seen operationalization where those budgets are being applied for continuous monitoring and actual risk reduction. The good news is there is awareness and budget is following. Now it’s a matter of tuning that budget appropriately for risk reduction.”

The solution, according to BlueVoyant, is continuous rather than periodic monitoring of third-party vendor security postures. “Even though we are seeing rising awareness around the issue” says BlueVoyant, “breaches and the resulting negative impact are still staggeringly high, while the prevalence of continuous monitoring remains concerningly low… So long as it remains a line item only discussed once or twice a year – or less often – then cyber risk management will continue to languish from a strategic perspective until an inevitable cyber event leaks data, disrupts operations, or embarrasses the firm.”

Such continuous monitoring from companies like BlueVoyant examines the visible security posture of every third-party vendor. “We monitor all of the vendors, suppliers and partners they identify for changes in that attack surface,” said Bixler. “We also characterize external indicators of how their security program is maturing, so we will look for evidence of security controls in place, proper configurations, perimeter patch cadences, to give a level of assurance back to our clients that the vendors, partners and suppliers they connect to are maintaining an acceptable level of security and managing risk appropriately. We like to characterize it as seeing the same view that an attacker would have of a potential target, so we’re working with a similar dataset that anyone on the internet would be able to see.”

Advertisement. Scroll to continue reading.

BlueVoyant’s survey demonstrates that awareness of third part risk and budgets to tackle that risk are improving. “Now it’s just a case of tuning that budget to the right capabilities — the right people, processes and technology to be able to reduce that risk,” said Bixler. “This should include understanding which vendors are creating a risk and going back to that vendor with advice on how to decrease the risk. First, we help our clients reduce their own attack surface, and then we do the exact same thing on their behalf for their third-party suppliers.”

Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack

Related: Rapid7 Source Code Exposed in Codecov Supply Chain Attack

Related: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain

Related: Huawei and Supply Chain Security – The Great Geopolitical Debate

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...