Supply chains are creating cybersecurity risks for companies, according to a security services firm report.
New York-based BlueVoyant said it surveyed more than 1,500 CIOs, CISOs and CPOs in five countries. Those executives are in a variety of sectors including manufacturing.
The report said 80 percent of respondents “had suffered a breach” via the supply chain. Most of them “had suffered at least two breaches and one in ten had suffered more than six.”
The consulting firm said 29 percent of respondents “said they had no way of knowing if a risk emerged in a third-party vendor” until a breach occurred. “Such organizations are effectively flying blind.”
“The problem of actual disruptions to the supply chains happening is a real one,” Jim Penrose, COO of BlueVoyant, said in an interview.
Penrose said large manufacturers need to assist their vendors with cybersecurity.
“We all depend on each other,” he said. “Many of the small guys may not have a security staff.”
According to BlueVoyant, only 23 percent of respondents said they monitor all of their vendors, while 19 percent said they monitor only critical vendors.
“This leaves a long trail of vendors entirely unmonitored, with risk potentially arising from any of them on a given day,” according to the report.
Penrose said companies including manufacturers conduct reviews at specific intervals.
“The first step is you have to change from this periodic assessment model,” he said. “That periodic review is just too slow.”
The BlueVoyant report said just 2 percent of respondents conduct real-time or daily monitoring, with just “one in ten” conducting assessments every week. The report said “one fifth are assessing cyber risk quarterly.” All of this compares with “the fast-changing cyber threat landscape.”
Companies need to ask themselves, “How do we drive down risk every day?” Penrose said in the interview.
“Organizations are not always upfront with suppliers when they do discover a problem,” the report said. Of respondents, 36 percent “inform the supplier and hope they fix the issue, while the same percentage rely on the supplier to ensure adequate security.”
A section of the report covered manufacturing specifically.
The Industrial Internet of Things (IIoT), where production machines communicate with one another, is causing more cyber risk, the consulting company said. The “potential impacts of cyber attacks disabling all or part of the IIoT, or harvesting data from it, increase,” the report said.
The consulting firm surveyed 250 executives in the manufacturing sector. Of those respondents, 57 percent said they have suffered a cyber breach in their supply chain in the past 12 months. Also, 82 percent said they do not monitor all suppliers for cyber risk.