Third-party cyber risk, The vendor supply chain knowledge gap

February 19, 2021
vendor supply chain knowledge gap third-party risk assessment

The recent SolarWinds cyberattack exposed a third-party supply chain weakness using exploitable vulnerabilities on other widely distributed and implemented software and system offerings available in the market. Still, many enterprises have little insight into the set of suppliers currently being used in their infrastructure systems.

Based on a survey conducted by BlueVoyant, out of 1,500 technology, chiefs and executives had experienced at least one data or system breach caused by their third-part vendor within the last year. Most of them don’t even monitor and conduct a third-party cyber risk assessment.

The report’s data is not surprising as most organizations operate in networks and systems that have 1,409 vendors on average. The number varies among various industry sectors, but organizations in business services management are on 2,572 average vendors on their network. Due to this, regular monitoring often becomes insufficient due to the growth of existing threats and quick response and action of cyber-attackers.


Having over 2,000 third-party vendors makes the organization’s security resources limited, it’s tough to get your hand around third-party risk in this circumstance.


Majority of organizations typically assess and extract report two to three times a day and some in a limited fashion which is never enough.

The SolarWinds cyberattack drove the point home, exposing the importance of vetting third-party applications in securing an organization’s supply chain. Just like the lessons on the current Covid19 pandemic shows how an infection can lead to thousand others in the ecosystem resembling a giant super-spreader event. This makes ensuring the health of an organization’s supply chain is critical to curbing the transmission.

Automation can allow organizations to process vast numbers of data with lesser human intervention, monitor and report the supply chain threats, vulnerabilities, and risks. With proper risk assessment on systems and an adequately configured program allows companies to select and pick what’s important given the limited resources.

Organizations must also develop a central consolidated approach to integrating managing and risk monitoring across their infrastructure systems.

About the author

Leave a Reply