The report, which can be downloaded here, found that 40% of third-party suppliers do not conduct regular penetration tests of internal systems.
Moreover, the research found that 32% do not have a supplier security policy that outlines the security requirements that their suppliers should meet. This, according to Risk Ledger, puts their own data, as well as their customers’, at risk.
According to Risk Ledger, attackers are targeting under-resourced suppliers with weaker defences as a way of disrupting or compromising larger organisations. The company adds that the notable ransomware attack on a supplier to semiconductor giant Applied Materials is expected to lead to $250m in lost sales.
Risk Ledger says that well over 60% of organisations have suffered a data breach through a third party, a problem that regularly results in regulatory fines, huge data recovery costs and loss of consumer trust.
The above findings were made in the ‘State of Cyber Security in the Supply Chain 2023’ report, which was published on Tuesday, 18th April.
The report is based on proprietary data from over 2,500 suppliers that have shared information on their risk posture against over 200 cyber security controls with their customers on the Risk Ledger platform.
The research includes the 12 most common weaknesses among suppliers and offers practical recommendations by cyber security experts for improving organisations’ third-party risk management strategies.
Some of the major findings revealed in this report include:
- 17% do not enforce multi-factor authentication (MFA) on all remotely accessible services.
- 23% do not use Privileged Access Management controls to securely manage the use of privileged accounts.
- 20% do not use a password manager.
The report finds that all three of these weaknesses are common causes of cyber security incidents. Risk Ledger also states that a high proportion of third, fourth and fifth party suppliers are not using controls to protect themselves or their customers in these areas.
Finally, Risk Ledger writes that perhaps biggest problem associated with supply chain cyber attacks is the almost total lack of visibility into the prevailing weaknesses among suppliers.
“There is a wealth of existing data on the tools hackers use to target companies, and on the effects of such attacks, allowing cyber security professionals to put specific defences in place. There has been a total lack of visibility, however, into the main weaknesses in security postures of suppliers that allow these attacks to be successful in the first place,” says Risk Ledger.
Commenting on the report, Risk Ledger CEO, Haydn Brooks, said:
“Companies rarely run security assurance against more than 10% of their immediate third-party suppliers, while visibility into the risks existing further down the chain remains almost non-existent. To improve this situation, better data and insights into the most prevalent weaknesses in the wider supplier ecosystem are needed, so that remedial efforts can become more focussed. This is the purpose of our report. We want to share the insights we have obtained from suppliers on the Risk Ledger platform with the wider security community, allowing them to use our findings to benchmark their own suppliers against their peers.”