A third-party supply chain cyber attack against computer chip giant Applied Materials, expected to result in losses of $250 million, won’t be the last one targeting down-stream suppliers, according to an analysis by British cybersecurity provider Risk Ledger. In fact, nearly one-third of organizations analyzed lack supplier security policies, according to the analysis.
Risk Ledger’s report, “State of Cyber Security in the Supply Chain 2023,” is based on anonymized, proprietary data of more than 2,500 suppliers that have shared information on their risk posture, revealing leading cybersecurity weaknesses in the supply chain.
The report found, for example that 40% of third-party suppliers do not conduct regular penetration tests of internal systems and 32% do not have a supplier security policy that outlines the security requirements that their suppliers should meet, putting their own and their customers’ data at risk.
“Companies rarely run security assurance against more than 10% of their immediate third-party suppliers, while visibility into the risks existing further down the chain remains almost non-existent,” Risk Ledger CEO Haydn Brooks said in a news release. “To improve this situation, better data and insights into the most prevalent weaknesses in the wider supplier ecosystem are needed, so that remedial efforts can become more focused.”
Here are some other key findings:
- 17% of firms analyzed do not enforce multi-factor authentication (MFA) on all remotely accessible services.
- 23% do not use privileged access management controls to securely manage the use of privileged accounts.
- 20% do not use a password manager.