Breaches resulting from third-party security lapses are on the rise. Last year, 61% of surveyed US organizations said they had experienced a breach caused by one of their vendors or another third party. Some 75% said they believed such incidents were only going to increase.
The growing complexity of the third-party landscape bears much of that blame, according to the Opus/Ponemon Institute survey. While companies in the survey, on average, said they shared confidential and sensitive information with as many as 583 third parties, barely one-third had as much as an inventory of these entities. Some 69% said they did not have centralized control over third parties, and more than 60% did not have adequate resources for managing third-party risk.
In a separate survey conducted this year by BitSight and the Center for Financial Professionals, 97% of financial services companies said third-party risk were becoming a major concern. Nearly eight in 10 companies said they had already terminated a business relationship, or had ratcheted it down, over cybersecurity issues. Barely 22% said they were continuously monitoring third-party cyber-risk.
"Supply chains are difficult to secure. They create risk that is hard to identify, complicated to quantify, and costly to address," says Steve Durbin, managing director of the Information Security Forum.
Here, according to Durbin and several other security experts, are tips for managing third-party risks.