When it comes to outsourcing and the supply chain, a key finding by the Cyber Security Breaches Survey published by DCMS last week was that only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process. The Survey concluded that this presents a clear risk for the future.

The Survey came the day after an event held by our data & privacy team, in conjunction with Jonathan Wood of C2 Cyber and Leo Davidson of 11KBW, on understanding the responsibilities, risk and recourse when it comes to suppliers. The speakers looked at what the data security obligations are; some of the practicalities around managing third party risk; and the legal options when things go wrong but the supplier is at fault.

Indeed, whilst organisations might have invested significantly in shoring up their own defences, supply chains can themselves pose an entry point for attackers – something emphasised in the Survey. It means that organisations are only as resilient as the weakest supplier in their supply chain.

Other findings from the Survey reflected issues discussed at the event such as overreliance on contracts as guarantees of security, and checks not being on an active and ongoing basis. So whilst organisations will often require that suppliers, including Managed Services Providers, prove they have robust cyber security when signing contracts, once the contract is signed it is not often followed up with extensive due diligence or measurement of KPIs. Nor are risks reviewed throughout the duration of the relationship.

When it comes to barriers to addressing supplier risk, a perceived lack of time or money (36%) was the biggest, followed by an inability to get information from suppliers to carry out checks (28%). Not knowing what checks to carry out (26%) and not prioritising reviews (20%) were also cited as inhibiting organisations' ability to manage threats, as was not knowing which suppliers to check (18%) or a lack of relevant skills to check suppliers (18%). As discussed at the event, vendor risk management tools can play an important part in overcoming these barriers.

The Survey also attempted to capture the financial impact of breaches or attacks on organisations, both in terms of direct and indirect costs. The ability to recover any such losses from suppliers, or indeed to challenge fines issued by the regulator where a supplier is at fault, were topics addressed at the event, drawing on the Ticketmaster litigation. There, the attack vector was chatbot software containing malicious script provided to Ticketmaster by a third party supplier who was joined to proceedings brought against the ticketing service by hundreds of affected data subjects. The case illustrates the particular risks when it comes to the digital supply chain, something which Gartner has identified as one of its top security and risk management trends for 2022.