How well do you know the risks posed by your third parties and supply chain?

You can’t secure what you can’t see, and most respondents to the PwC 2022 Global Digital Trust Insights Survey seem to have trouble seeing their third-party risks — risks obscured by the complexities of their business partnerships and vendor/supplier networks.

Only 40% of survey respondents say they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments. Nearly a quarter have little or no understanding at all of these risks — a major blind spot of which cyber attackers are well aware and willing to exploit.

Among our respondents, 56% expect an increase in reportable incidents in 2022 from attacks on the software supply chain, but only 34% have formally assessed their enterprise’s exposure to this risk. Fifty-seven percent expect a jump in attacks on cloud services, but only 37% profess an understanding of cloud risks based on formal assessments.

The “most improved” organisations, on the other hand, have taken note and taken action. They are 11x more likely to report a high understanding of their third-party risks. Some three-quarters say they’re highly knowledgeable about third-party dangers in five of six areas.

Only in their knowledge of “nth-party” risks — those posed by their suppliers’ suppliers and so on, down the line — does the number dip: 69% of the “most improved,” 31% for the rest. The more complex the connection, the harder it becomes to see the risks buried within.

Fewer than half of all respondents — 30% to 46% — say they’ve responded to the escalating threats that complex business ecosystems pose. The ones that have responded seem to be focusing their efforts primarily on today, perhaps at the expense of tomorrow. Asked how they’re minimising their third-party risks, they gave largely reactionary answers: auditing or verifying their suppliers’ compliance (46%), sharing information with third parties or helping them in some other way to improve their cyber stance (42%), and addressing cost- or time-related challenges to cyber resilience (40%).

Only one top response — that they are refining criteria for onboarding and ongoing assessments (42%) — could be considered proactive, offering benefits over the long term. Publicly listed organisations (47%) were significantly more likely to claim this step.

Still, more than half have taken no actions that promise a more lasting impact on their third-party risk management. They’ve not refined their third-party criteria (58%), not rewritten contracts (60%), not increased the rigor of their due diligence (62%). Meanwhile, the “most improved” are five times more likely to have taken all seven actions listed.

Visibility also means seeing which challenges others face and what they are doing to meet them. Collaborators can be an important part of your cyber-business ecosystem. Just ask the companies and federal agencies that benefited from the public-private partnership and government responses to significant cyber incidents early in 2021. Timely sharing of information matters for cybersecurity in general, critical infrastructure or not.

But fewer than one-third of survey respondents said their public-private collaboration efforts are “very effectively” helping them achieve their cyber goals. Those who’ve had the best cybersecurity outcomes over the past two years, however, were 34x more likely to have achieved their public-private collaboration goals “very effectively.”

Organisations increasing their cyber budgets in 2022 were significantly likely to say they have achieved these goals “very effectively”:

• Share knowledge about new threats, approaches, and solutions in my peer set (38%)

• Demonstrate avoidance of tangible financial losses (36%)

• Activate public-private sector relationships for more effective responses to a cyber attack on our organisation (33%)

• Promote broader awareness and upskilling of workforce (32%)

“Very effective” collaborators also include those in technology, media and telecommunications; those with more than $5 billion in yearly revenues; and, in terms of promoting broader cyber awareness and upskilling the workforce, female respondents.

For influencing governments and policymakers on proposed rules and regulations, smaller companies perceive that they are less effective than larger ones. Respondents from organisations with yearly revenues under $1 billion were significantly more likely to say they are “not very effective” at wielding this influence (7%), as opposed to 4% of those with revenues greater than $1 billion and 3% of those with $5 billion yearly revenues or higher.