It's Time to Rethink Third-Party Risk Assessment

COMMENTARY

December marked the third anniversary of one of the industry's most headline-making data breaches, SolarWinds. While the immense cost and recent legal filings from this highly damaging 2020 supply chain attack put a spotlight on the importance of third-party risk assessment, bad actors continued to exploit third-party software.

According to Forrester Research's 2022 security survey, supply chains are the top breach cause. For example, the number of organizations impacted by the MOVEit supply chain hack is close to 3,000 — and that number is growing. It's time to re-examine your current third-party risk assessment program and adopt new best practices to reduce your risk. 

The Rise of SaaS Subscriptions

Third-party risks have never been higher. Industry analyst firm Gartner recently revealed that, despite increased investments in third-party cybersecurity risk management over the past two years, 45% of organizations experienced third-party-related business interruptions. How did we get here? According to Gartner, 60% of organizations work with more than 1,000 third parties. On average, organizations use over 370 software-as-a-service (SaaS) applications; the average department now uses 87 SaaS applications. With every new application, the attack vector increases. The scale of the problem is enormous.

In the past, enterprise software procurement was a long, drawn-out process with a lot of oversight. While sometimes tedious, long enterprise sales cycles provided an opportunity for proper due diligence, so organizations didn't onboard too many third-party systems. With the proliferation of SaaS, it's easier for organizations — and individuals — to add new software subscriptions than ever before, sometimes with little oversight or risk assessment.

The volume and velocity of SaaS subscriptions is one of the biggest reasons why organizations have so many third-party vendors now. The decision-making power to purchase and onboard these applications is increasingly decentralized; from individual employees who just want to participate in a software free trial to authorized team members. Third-party solutions are being brought into an organization through many avenues, which has only increased the security challenge and made risk assessment more difficult.

With the emergence of productivity-enhancing tools powered by AI, we can expect the SaaS sprawl — and associated third-party risk — to rise. Moreover, there is a growing demand among employees for innovative, consumer-grade products. While organizations might prefer to consolidate their vendor relationships, employee demand for top-tier products could counteract this effort, continuing the momentum in vendor onboarding.

A Path Forward for Better Third-Party Risk Assessment

One of the biggest myths about third-party risk assessment is that it's a one-time activity. Many organizations mistakenly treat it as a checkbox exercise, conducted only during the initial vendor onboarding process. This approach overlooks the dynamic nature of risk, failing to account for changes over time in the third-party's business practices, security posture, or the regulatory environment.

To increase efficiency while reducing risk and to improve third-party risk assessment, organizations should take the following steps:

Conclusion

As organizations continue to onboard new vendors, supply chain and other third-party risks will continue to climb. By continuously evaluating and updating your organization's third-party risk assessment program, you can significantly improve your security posture and hopefully make sure your company doesn't have the next headline-making incident.