Understanding Supply Chain Vulnerabilities: A New View on Third-Party Risk Management

In today's digital landscape, the significance of third-party risk management (TPRM) is greater than ever. A recent report by Black Kite, a leader in third-party cyber risk intelligence, sheds light on how current approaches to vulnerability management are inadequate, especially when addressing the complexities of supply chains. With a staggering 38% rise in published Common Vulnerabilities and Exposures (CVEs) in 2024, it is crucial for organizations to rethink their strategies to navigate these escalating challenges.

The Shift in Focus

Traditionally, organizations have steered their security efforts towards individual CVEs, often relying on Common Vulnerability Scoring System (CVSS) scores. However, Black Kite emphasizes that this method is insufficient for effectively managing risk in the interconnected world of cyber threats. The Chief Research Intelligence Officer, Ferhat Dikbiyik, warns that security teams must realize that CVSS is not a prioritization tool that indicates whether a vulnerability has been exploited or the probability that it will be weaponized. They must instead focus on how vulnerabilities can traverse through supply chain ecosystems, crossing organizational boundaries and leaving a trail of potential chaos.

As companies increasingly depend on third-party vendors and open-source components to enhance their operations, they expose themselves to significant risks. A single vulnerability in a supplier’s software can create a domino effect, leading to widespread repercussions across interconnected systems. The report underscores that many vulnerabilities identified in 2024 were found in commonly used third-party applications, suggesting that the vulnerabilities associated with suppliers might be among the most concerning.

Recent Trends in TPRM

The report highlights how TPRM has surfaced as an ever-evolving struggle for cybersecurity professionals. Throughout 2024, over 40,000 CVEs were reported, with a significant portion associated with high-risk exploitation, particularly in highly utilized software such as MOVEit and products from Fortra and Ivanti. This trend reveals growing concerns where vulnerabilities exploited by cybercriminals can occur mere days after disclosure. With the rise of ransomware groups leveraging known exploited vulnerabilities, organizations must hone their assessment and response capabilities.

One troubling trend noted in the Black Kite report is the rapid weaponization of vulnerabilities. Categories of vulnerabilities classified as critical present a particularly urgent threat, indicating that organizations lacking a proactive risk assessment will likely suffer losses due to exploitation.

Supply Chain Implications

The TPRM report also identifies how vulnerabilities in renowned software vendors like Microsoft, Cisco, and VMware have significant ramifications, affecting numerous enterprises. The entwined nature of digital supply chains means that organizations could be severely impacted by vulnerabilities in services they do not directly control. Thus, shifting focus from isolated vulnerabilities to their broader supply chain implications can empower organizations to adopt a more effective risk management strategy.

Conclusion

To effectively mitigate risks associated with third-party vendors, Black Kite's report advocates for a paradigm shift from reactive to proactive risk management. Organizations that fail to adapt risk remaining blind to vulnerabilities within their supply chains and facing increased risk exposures.

The 2025 Supply Chain Vulnerability Report encourages cybersecurity professionals to prioritize vulnerabilities that pose real-world supply chain threats. This strategic evolution aims to enhance vendor risk management and preserve organizational integrity in an increasingly hazardous cyber landscape. By applying these insights and urging a shift in perspective towards TPRM, organizations can better navigate this complex environment and fortify their defense against looming threats.

For those interested in the detailed findings, the full report is available on Black Kite's website, offering valuable insights for organizations seeking to enhance their security posture in the face of evolving risks.

About Black Kite

Black Kite empowers organizations with consistent, real-time insights regarding cyber ecosystem risks, allowing informed decision-making for improved business resilience. By merging automated processes with comprehensive threat, business, and risk data, they provide actionable intelligence that transcends standard risk ratings. Their innovative approach caters to more than 3,000 clients across various sectors, gaining significant industry acclaim and recognition.

Explore more at www.blackkite.com