Digitized Supply Chains Bring New Cyber Risks
The increasing interdependence and digitalization of supply chains bring increased cyber risk to all parties, but many firms perceive the risks as one-sided, according to the Marsh Microsoft 2019 Global Cyber Risk Perception Survey.
Perceptions of Supply Chain Risk Vary Greatly
The survey found a wide discrepancy in many organizations’ view of the cyber risk faced from supply chain partners, compared to the level of perceived risk they themselves pose.
This variance is consistent across industry sectors and geographic regions, and the largest organizations exhibited the largest dissonance: 61% of companies with revenues of $5 billion or more say their supply chain partners pose a risk, whereas only 19% say they themselves pose risk to 3rd parties.
Low Confidence to Manage 3rd Party Risk
The disconnect may be driven by organizations’ low confidence in their ability to prevent or mitigate cyber risks posed by commercial partners. The share of organizations who are “highly confident” about mitigating cyber threats from supply chain partners ranged from lows of 5% to 15%, depending on the type of third party. The proportion who are “not at all confident” was generally twice as high, ranging from 13% to 30%. Overall, 43% reported “no confidence” in their ability to prevent cyber threats from at least one of their third-party partners.
Midsize firms reported the strongest confidence in managing suppliers. For example, 71% of firms with revenues between $100 million and $1 billion were “fairly” or “highly confident” in their ability to mitigate risks from outsourced business process providers, compared with 60% in all other size categories.
This may suggest that midsize firms are small enough to know their supply chain partners’ risks, yet large enough to have the resources to adequately assess and manage them.
Expectations for Third-Party Risk Management
There was also a disparity between cybersecurity measures and standards that organizations apply to themselves, versus those they expect from suppliers.
On balance, respondents were more likely to set a higher bar for their own cyber risk management measures than for their suppliers’.
For example, 56% of organizations said they expect supply chain partners to implement employee training, but 71% said their own organization had implemented training.
Likewise, only 73% expect 3rd parties to improve computer and system security, whereas 89% of companies require that of themselves.
Such disparities could lead organizations to think their suppliers are less prepared to manage cyber risk than they themselves are, thus diminishing the organization’s trust in its supply chain.
Supply Chain Risk Must Be a Shared Responsibility
In a world of hyper-connected supply chains, there is a critical need for shared responsibility for supply chain risk.
Every organization needs to understand, have confidence, and play a role in the integrity and security of its digital supply chain.
“Technological social responsibility”, the recognition by each organization of its role and cybersecurity obligations within the supply chain, should be on the agenda for all industry leaders.
Read the full 2019 Cyber Survey Report produced in partnership with Microsoft.