The Wall Street Journal (WSJ) posted an article with research they conducted entitled The Industries Most Vulnerable to Cyberattacks – And Why. The WSJ described their research as follows:

These are some of the findings from a survey of information security officers at nearly 400 companies by WSJ Pro Research. The survey offers a revealing snapshot of the state of cybersecurity—in particular, what kinds of companies are unprepared and why.

One of the key findings of the research was that there is a large gap between the perceived threat and perceived preparedness of companies as it relates to “ATTACKS ON THIRD PARTIES,SUPPLY CHAIN”. The article says: “More than 70% of all organizations saw it as a major threat, but less than 60% felt prepared.”

I really appreciate that the WSJ research is highlighting this area of focus. Part of the problem is that the existing vendor risk management model to deal with supply chains, vendors and third parties is distorted – creating less than adequate solutions for companies that ‘have a program’ and unappealing solutions for companies that don’t yet have a program. In my opinion, this distortion is what leads to such a large gap in perceived threat and perceived preparedness.