2024年供应链防御年度全球洞察报告

Supply ChainDefense Annual GlobalInsights Report2024 Foreword Welcome to BlueVoyant’s fifth annual report on the State of Supply Chain Defense. This year marksa significant evolution in the third-party cyber risk management (TPRM) space. In previous years, thefocus of many organizations was on raising awareness and adopting initial strategies. The emphasis hasnow shifted to effectively managing and operating robust TPRM programs. This report delves into these developments, highlighting technological advancements and refined riskmanagement strategies, and touching on the following key themes: > Active Vendor Engagement:Organizations are transitioning from monitoring to actively reducingrisks by collaborating with vendors. Companies are directly managing service level agreements(SLAs), contracts, and penalties to encourage proactive remediation of identified cyber exposure. > Improved Risk Understanding:Companies are showing enhanced comprehension of third-partyrisks, with more vendors being monitored and reporting to senior stakeholders becoming morestandardized compared to five years ago. > Automation and Integration:Respondents are emphasizing automating risk reduction andintegrating incident detection and response into broader security efforts for more streamlinedoperations. Organizations this year noted a shift from monitoring to actively reducing risk with vendors. Morecompanies are engaging directly with vendors to manage SLAs, contracts, and penalties for ignoringpoor security hygiene, with the main challenge being how to enforce consequences. Third-party risk is less of an unknown than when we started this survey five years ago. Organizationsare monitoring more vendors, and reporting status to senior leadership has normalized to be in line withreporting on other security measures and risks. As such, more mature TPRM programs are looking forways to automate and operationalize the reduction of risk for their vendors and to integrate detectionand response of incidents with the rest of their organizations’ security apparatus. Reliance on third-party partnerships for success is ubiquitous, but these relationships alsointroduce important risk factors to business continuity. Our survey reveals that even small- to mid-sized organizations (1,000 - 5,000 employees) say theyengage with more than 1,500 third-party partners on average. As organizations grow, their partnerecosystems expand significantly, with those having 10,000 or more employees saying they are oftencollaborating with 5,000 or more partners on average. Not surprisingly, it becomes far more challenging to regularly monitor the cyber posture of a vastpartner ecosystem, which increases potential risk. As illustrated in the chart below, larger organizationstend to say they monitor a smaller percentage of their total partners, sometimes as little as 25% or less. As one would expect, the survey data confirms that larger partner ecosystems significantly elevatethe incidence of cybersecurity breaches through that vector as illustrated in the table below. Thisunderscores the importance of having an effective risk reduction program that can scale with the sizeof your vendor ecosystem. The importance of supply chain defense as a strategic priority is increasingly clear. Organizations areinvesting more effort and money into their TPRM programs, reflected in a notable 17 percentage pointincrease from last year (19% to 36%) in the number respondents who now collaborate with third-partyvendors throughout the entire remediation process when issues arise. The survey results also highlightongoing financial investment in technology and talent to enhance supply chain security. This investment seems to be yielding positive results with the percentage of respondents reportingnegative impacts from supply chain breaches falling from 94% in last year’s survey to 81% this year.Note that this is still a staggering number, so lots of work remains to continue to improve TRPM maturity. Organizations now report recognizing the risks posed by their third-party ecosystems and are shiftingfocus to proactively assisting partners in remediating those risks. This is reflected in the table belowwhich contrasts the three most common responses selected from a list of top challenges related tomanaging third-party cyber risk in the 2024 survey compared to 2023. The goal of this report has always been to enhance awareness and understanding for creating andelevating TPRM programs. Over the past several years, we have observed significant evolution in thisspace, as highlighted by the trends discussed in more detail throughout this document. Methodology BlueVoyant commissioned its fifth annual survey undertaken by independent research organization,Opinion Matters, in July 2024. Twenty-one hundred chief information officers (CIO), chief information security officers (CISO),chief operating officers (COO), chief security officers (CSO), chief technical officers (CTO), and ch