98% of IT professionals in APAC say they have been affected by a cyber breach in their supply chain

Sumit Bansal, Vice President Asia Pacific and Japan at BlueVoyant

BlueVoyant, a cyber defence firm that combines internal and external cyber security, released the APAC findings of its third annual survey into supply chain cyber risk management. The survey paints a stark picture, with a staggering 98% of APAC respondents saying they have been negatively impacted by a cyber breach in their supply chain. Digital supply chains are made up of the external vendors and suppliers who have access that could be compromised.

What were the findings of BlueVoyant’s study?

The study was conducted by independent research firm Opinion Matters and recorded the views and experiences of 2,100 CTOs, CSOs, COOs, CIOs, CISOs, and CPOs, with 600 respondents across APAC from Australia, Singapore and the Philippines, in organisations with over 1,000 employees. It covered 11 countries across North America, Europe, and APAC.

A bleak picture of escalating supply chain threats and low risk visibility

Other key APAC survey findings were:

  • 52% of APAC firms said they have been negatively impacted by between two and five cyber security breaches in their supply chain.
  • However, only 38% of APAC respondents considered supply chain risk a key priority. This compares more favourably to a 36% global average.
  • That said, APAC respondents were unlikely to be aware of all the risks in their supply chain, with 37% saying that cyber risk was not on their radar. This compares to the 38% global average.
  • When asked how frequently they re-assess third-party or supplier cyber security risk, the most common response (28%) by APAC respondents was quarterly. Overall, almost a third (32%) of APAC respondents reported six monthly, annually, or less frequently. Only 3% say they monitor either daily or in real time.
  • Automation is key to effective risk monitoring, but the use of vendor risk management programmes in APAC was lower than average; 37% have a programme in place versus the global 41% average.
  • 39% of APAC respondents said they have no way of knowing if a cyber risk emerges in a third-party vendor, slightly lower than the overall 40% global average. However, it is still a clear indication of the complex challenges that APAC firms must solve if they are to take control of supply chain risk.

Monitoring of suppliers

The good news is that APAC respondents are more likely to be monitoring critical suppliers in their supply chain for cyber security risk (28% APAC versus 24% global) but less likely to watch the long tail of all their third-party suppliers (16% APAC versus 17% global). Likewise, they are less likely to rely on vendors for adequate security (37% APAC Vs. 45% global).

Budgets are increasing

Reassuringly, APAC firms were more likely to report increased budgets for supply chain defence, possibly in light of recent attacks and more regulatory scrutiny. 85% of respondents said their budgets increased in the last 12 months, compared to a global 84% average.

In addition, Asia Pacific companies surveyed reported an almost equal distribution of managing pain points: too many false positives; overseeing data volume; prioritising risk; knowing their own risk position; among others. However, the biggest pain point cited was working with third-party suppliers to improve their security performance (21%).

What were BlueVoyant’s thoughts on the findings?

Commenting on the research findings, Sumit Bansal, Vice President Asia Pacific and Japan at BlueVoyant, said: “Visibility into supply chain cyber security risk remains an ongoing problem across Asia Pacific. Despite the continuing high prevalence of negative impacts from cyber security breaches in the supply chain, such as the high-profile breaches seen in Australia towards the end of last year, IT leaders are still not making supply chain security a priority.”

“With the escalating threat landscape and number of high-profile incidents being reported, I would recommend firms focus more strategically on addressing supply chain cyber security risk. In the current volatile economic climate, the last thing any business needs is any further disruption to their operations, any unexpected costs, or negative impact on their brand.”

“And while a higher proportion of firms say this is a priority, there is still a significant group who appear to be completely unaware of the risks in their supply chains. In today’s interconnected ecosystem, a risk to a supplier is a risk to your own business, therefore relying on vendors to mitigate without any oversight or control leaves firms vulnerable.”

“With Asia Pacific organisations being so heavily targeted, it is reassuring to see increased budget being made available to reduce the negative impact of supply chain disturbances and drive down cyber risk. Businesses must now prioritise the investment so they can better monitor suppliers and drive down supply chain risk,” Sumit Bansal further commented.

Learn more about the full global BlueVoyant report: “The State of Supply Chain Defense: Annual Global Insights Report,” including analysis across countries and vertical sectors.