As organizations move into 2025, the critical importance of operational resilience and third-party cyber risk management has never been more apparent. Driven by both commercial imperatives and new regulatory mandates, such as NIS2 enacted in late 2024 and DORA earlier this year, businesses must now prioritize supply chain risk management as a strategic necessity. The need for robust security frameworks to protect against potential threats has transformed supply chain risk management from a peripheral concern to an essential business strategy, highlighting the undeniable link between robust third-party oversight and overall cyber health.
A recent report by BlueVoyant highlights a concerning trend: many organizations are either not prioritizing or remain unaware of the cybersecurity gaps within their supply chains. Nearly two-thirds of UK respondents reported that third-party cyber risk management is not a priority or is only somewhat prioritized. Alarmingly, 34% of respondents indicated they have no way of knowing when a cybersecurity incident occurs within their supply chain. This lack of visibility can expose organizations to significant threats, resulting in business disruptions, reputational damage, and even regulatory fines.
The Growing Importance of Supply Chain Risk Management
The residue of these cybersecurity gaps can be severe, encompassing business disruptions and reputational damage, alongside the threat of regulatory fines. Boards of directors, recognizing these implications, are increasingly focusing on cyber risk management. A comprehensive understanding of supply chain cybersecurity is deemed essential for Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) to provide effective oversight. The importance of this understanding cannot be overstated, as it allows organizations to foster resiliency and maintain uninterrupted business operations.
A startling revelation from the report is the lack of supply chain cybersecurity visibility. According to the data, a staggering 95% of C-level executives in the UK indicated that they had been negatively impacted by cybersecurity breaches within their supply chains, compared to 81% globally. This stark difference underlines the critical need for enhanced visibility in mitigating third-party risks and maintaining a robust security posture. Enhanced visibility is not only a preventive measure but also a proactive approach to safeguarding valuable assets and ensuring business continuity in the face of rising cyber threats.
Enhancing Third-Party Risk Management (TPRM)
The article notes an increase in engagement and collaboration in third-party risk management (TPRM), although there is still considerable ground to cover. Awareness of TPRM is growing across industries, with more organizations investing in strategic TPRM activities. Constructing these activities around engaging with vendors, embracing automation, and managing service level agreements (SLAs) to penalize poor security practices marks a significant step forward in combating third-party risk. These advancements signal a shift in focus from mere awareness to concrete action and strategic engagement.
Despite these improvements, the journey towards proactive risk mitigation and incident remediation is ongoing. Many firms initially focused on raising awareness of third-party risk and implementing basic risk management protocols. However, the emphasis is now shifting towards optimized management through fully developed TPRM programs. Despite these encouraging signs, the article insists that more efforts are needed. True resilience and security come from a deep, ongoing commitment to comprehensive risk management that continuously evolves with the threat landscape.
The Expanding Size of Supply Chains
The article provides a detailed overview of the increasing size of supply chains in recent years. In 2024, 80% of organizations with between 1,000 and 5,000 employees reported engagements with 501 to 10,000 third-party suppliers. Similarly, the majority of UK firms with 10,001 to 15,000 employees have third-party ecosystems comprising between 1,000 and 10,000 suppliers. This exponential growth in supply chain size underscores the complexity and breadth of modern business ecosystems, driving the need for heightened vigilance and comprehensive risk management strategies.
The research further shows a direct correlation between the size of a firm’s supply chain ecosystem and the number of cyber incidents reported. For example, 54% of UK organizations with 101 to 500 supply partners reported suffering one breach or more, while nearly all firms with 10,000 to 50,000 suppliers experienced a cybersecurity breach in the last 12 months. This direct relationship between supplier ecosystem size and cyber incidents demonstrates the pressing need for robust supply chain oversight, continuous monitoring, and strategic collaboration to mitigate these inherent risks.
Addressing Cyber Breaches and Vulnerabilities
The underlying problem contributing to these cyber breaches is that many UK organizations only assess their critical third-party suppliers biannually, leaving thousands of potential vulnerabilities unchecked. This prevalent issue is observed regardless of the size of the supplier ecosystem. For smaller ecosystems, assessments occur every six months, while in larger ecosystems, 32% of organizations assess only once per year. These infrequent assessments leave wide windows of opportunity for potential breaches, emphasizing the necessity for continuous, real-time monitoring and evaluation.
Boards must ensure that effective strategies are implemented to maintain oversight and visibility, thereby mitigating potential risks. The article highlights an increase in organizational understanding of third-party risk, with companies monitoring larger numbers of vendors and incorporating senior stakeholder reporting as standard practice. However, significant challenges remain. Implementing consistent, comprehensive risk assessments and maintaining an up-to-date understanding of the threat landscape remain vital components of a resilient cybersecurity strategy, ensuring that organizations can respond swiftly and effectively to any potential threats.
Proactive Measures for Supply Chain Cybersecurity
To better address supply chain cybersecurity risks, businesses should initiate proactive visibility programs at all levels, particularly at the Board and C-suite level, including cross-departmental and senior stakeholder briefings, reporting, and collaboration. Prioritizing effective third-party cybersecurity risk management and collaboration to reduce breach risks is crucial. Implementing structured penalties for third parties to encourage compliance among those lacking sufficient hygiene, response, and remediation measures will further solidify a strong security posture.
Monitoring and evaluating all suppliers continuously must become standard practice. Introducing tiered monitoring—from simple questionnaires to advanced continuous monitoring—offset against costs and aligned with vendor criticality can alleviate resource, technology, and expertise challenges. Ensuring third-party cybersecurity risk management isn’t siloed in IT or elsewhere is crucial. Working closely with third parties to close the remediation loop and triaging and tracking all issues through every step to full remediation are essential steps. These strategies offer a robust framework for mitigating third-party risk, ensuring the security and resilience of the extended supply chain ecosystem.
Continuous Monitoring and Collaboration
As companies approach 2025, the importance of operational resilience and managing third-party cyber risks has never been clearer. Motivated by both commercial needs and new regulations like NIS2, enacted in late 2024, and DORA earlier this year, businesses now see supply chain risk management as crucial. Strong security frameworks to guard against threats have turned supply chain risk management into an essential strategy, emphasizing the vital link between solid third-party oversight and overall cyber health.
A recent report by BlueVoyant reveals a worrying trend: many companies either don’t prioritize or are unaware of cybersecurity gaps within their supply chains. Almost two-thirds of UK respondents said that third-party cyber risk management is not prioritized or only somewhat prioritized. Shockingly, 34% reported they lack awareness of cybersecurity incidents within their supply chain. This lack of visibility exposes organizations to significant threats, leading to business disruptions, reputational damage, and even regulatory penalties. Addressing these gaps is essential for maintaining security and operational integrity.
