Midsize firms reported the strongest confidence in managing suppliers. For example, 71% of firms with revenues between $100 million and $1 billion were “fairly” or “highly confident” in their ability to mitigate risks from outsourced business process providers, compared with 60% in all other size categories.
This may suggest that midsize firms are small enough to know their supply chain partners’ risks, yet large enough to have the resources to adequately assess and manage them.
Expectations for Third-Party Risk Management
There was also a disparity between cybersecurity measures and standards that organizations apply to themselves, versus those they expect from suppliers.
On balance, respondents were more likely to set a higher bar for their own cyber risk management measures than for their suppliers’.
For example, 56% of organizations said they expect supply chain partners to implement employee training, but 71% said their own organization had implemented training.
Likewise, only 73% expect 3rd parties to improve computer and system security, whereas 89% of companies require that of themselves.