The State of Cyber Security in the Supply Chain

These are just some of the findings of a major new survey, investigating the self-reported security posture of 2500+ suppliers on the Risk Ledger platform against 200 risk controls across the following 6 cyber security domains:

• IT Operations
• Network & Cloud Security
• Software Development
• Supply Chain Management
• HR & Physical Security
• Security Governance

What is in the Report?

Based on this data, the "State of Cyber Security in the Supply Chain: Data Insights 2023" report offers valuable insights into existing strengths, but also prevailing risks and shortcomings in the supply chain.

This report will give you:

• Benchmark Data:
  A benchmark of security controls across six specific domains to use against your own suppliers.
• Quick Wins for Busy CISOs:
  A list of twelve common weaknesses in the security posture of suppliers, providing CISOs and other security professionals with a list of controls to focus on.
• Practical Recommendations by Cyber Security Experts
  A set of practical recommendations for how to gain real cyber security benefits through your supplier engagement, moving away from the common tick-box third party risk management approach.
  

Methodology

The data presented within this report is based on an anonymised aggregation of information provided by suppliers using the Risk Ledger platform to showcase their security controls to their clients and customers. When a supplier joins Risk Ledger, they complete a security profile consisting of 211 control questions spread across twelve risk and security domains:

• IT Operations
• Software Development
• Network and Cloud Security
• Supply chain management
• HR Security
• Physical Security
• Data Protection
• Security Governance
• Security Certifications
• Business Resilience
• Financial Risk
• Environmental Social and Governance (ESG).

The full Risk Ledger framework, with the exact questions and guidance provided to suppliers, can be found at https://riskledger.com/assessment-framework.

This report focuses only on the cyber security aspects. There will be future reports also covering Business Resilience, Data Protection, Financial Risk and ESG.

There were 2525 suppliers included within this analysis with geographical representation as follows (among the 6% ‘Other’, there are an additional 47 countries represented):

Not every supplier has answered every control question. When a supplier completes their profile on Risk Ledger, the framework dynamically adjusts the questions being asked depending on foregoing answers provided, removing questions which are not relevant for them. So, for example, if the supplier does not develop any applications or systems that collect, process, or store data on behalf of clients, they will not have to answer the control questions within the Software Development domain. For each control presented in this report, the data only relates to suppliers for which the control question was relevant.

Not all controls are included in this report. This report focussed on key control areas known to be most interesting and beneficial to the readers.

The data was pulled from the Risk Ledger platform in late March 2023.

Organisations using Risk Ledger for their supply chain risk management are able to analyse information across all controls and apply their own policies to give contextual risk for their organisation. They can see live assessment data in supplier-owned profiles, do continuous monitoring of the security posture of their suppliers, but from inside out, send and receive updates about controls instantaneously, and since Risk Ledger's network model means that suppliers and clients are always connected via the platform, they can therefore also collaborate more easily on remediation and other tasks.