More than a fifth of companies (21%) do not conduct security assessment checks of their third-party suppliers before signing a contract with them, according to “The State of Cyber Security in the Supply Chain Data Insights Report 2023” survey that was recently published by Risk Ledger.

In the study, it was found that more than a third of participating organizations (36%) said they do not conduct business impact assessments of their own suppliers to understand the effect a disruption or security breach could have on their enterprise.

The report also showed that 33% of participants do not conduct regular assurance activities with their suppliers, meaning these organizations can no longer confirm whether they are currently secure.

According to the report, 23% of participating suppliers do not have formal agreements, with appropriate security clauses in place, with third-party organizations. As the report puts it, “This means that, while [suppliers] may have agreements pertaining to how data will be handled or the service provided, there are no contractual commitments around security — which would make the organization more vulnerable in a breach.”

Additionally, Risk Ledger found almost a third of participants (32%) do not have their own supplier security policy. As a result, there aren’t any “expectations as to the minimum level of security controls their suppliers should have in place.” Therefore, a supplier could deem their security protections sufficient when they might actually be “woefully inadequate for the service they are providing.”

Nevertheless, participating organizations are taking steps to protect their customers, with 86% of participants reporting they have formal agreements in place that provide relevant data protection regulations to third-party organizations. This creates a legally binding standard that suppliers and the extended supply chain must follow when dealing with people’s personal data.

“This report was not designed to shed light on the security posture of individual suppliers, but rather to provide a birds-eye perspective of the broader challenges and opportunities that exist in the extended supply chain ecosystem,” wrote Haydn Brooks, CEO of Risk Ledger. “Given the enormous task of effectively managing risks in the supply chain, and given the escalating need for not just managing risks emanating from direct suppliers, but also from suppliers further down the chain, we strongly believe that only a new paradigm aimed at enhancing collaborative security efforts… offers a practical way forward for making us all more secure." 

Data from “The State of Cyber Security in the Supply Chain” report came from interviews with 2,525 global suppliers that used the Risk Ledger platform, conducted in late March 2023.