Third-Party Cyber-Risk by the Numbers
Recent stats show that the state of third-party cyber-risk and vendor risk management remains largely immature at most organizations.
April 19, 2019
Make no mistake: Even the most technologically mature organizations are struggling to keep in check the rising force of third-party cyber-risk. Recent high-profile security incidents, such as the Facebook data leak and the ASUS Shadowhammer attack, bring home the fact that third parties can introduce tremendous risk to business operations, data security, and even the technical integrity of products and services.
Data shows that enterprises of all types are still way behind on instituting the governance and technology to wrap their arms around third-party risks, be they in the software supply chain, access governance, or data handling. And, unfortunately, some experts say the industry isn't moving the needle on third-party risk.
"The overall maturity of vendor risk management programs is virtually unchanged in the face of an increasingly challenging external risk and regulatory environment," wrote experts from Protiviti in the company's fifth annual vendor risk management survey.
For this slide show, Dark Reading took a look at data in that report as well as a number of others on third-party cyber-risk to offer insight into the current attitudes around the problem, the scope of access afforded to third parties, and the maturity level of current vendor risk management practices.
A recent report from Ponemon Institute on behalf of CyberGRX shows that even though 80% of organizations believe vetting third parties for cyber-risk is critical, approximately six in 10 organizations admit they're only somewhat or not at all effective in doing so.
In an era of digital transformation that leans heavily on strong partnerships and open APIs, the scope of third-party access to sensitive information grows by the day at most organizations. According to a study by Ponemon Institute on behalf of Opus, companies now share confidential information with, on average, 583 third parties. All of this is adding up to additional risk of breaches. Approximately 59% of companies say they've experienced a data breach caused by one of their vendors or third parties in the past year.
Yet the Opus study also shows that only 34% of organizations even keep a comprehensive inventory of these third parties, let alone audit what they're doing. Investment in the assessment process varies greatly. The CyberGRX study shows that enterprises are spending an average of $1 million to $10 million annually to vet third-party capabilities beyond bare-bones compliance measures.
Meantime, the study by Protiviti shows much of the vendor risk management process is still a shoot-from-the-hip affair at many organizations. Approximately one in three organizations are at the nonexistent or ad-hoc stage of maturity in vendor risk management. On a positive note, the industry appears to be at a tipping point, with about 40% of organizations at a fully functional maturity level and another 28% in a transitional stage.
With such a lack of maturity rampant in vendor risk management, it should come as no surprise that only 44% of organizations report on third-party risk to their executives and boards on a regular basis. So says a report by BitSight, which also found that one in five respondents think boards do not understand their approaches to third-party risk management.
Even when investments are being made to gain visibility into vendor and partner risks, the CyberGRX study seems to indicate that there's still a lot of wasted effort in the third-party assessment process. The study shows that third parties spend 15,000 or more hours completing assessments every year, and enterprises only take action on about 8% of those assessments.
Third parties aren't the only ones adding risk to the equation. Organizations also must consider the risks of an interconnected environment in which their third-party vendors are passing along info or access to another fourth party, that party shares with a fifth party, and so on. Experts in the field call this "Nth party risk." A recent study by eSentire shows that many organizations may have a false sense of security about Nth parties. About 60% of respondents to that survey say they're confident they have full visibility into Nth parties, even though just 28% are sure their vendors notify them when these third parties share data with Nth parties.
Third parties aren't the only ones adding risk to the equation. Organizations also must consider the risks of an interconnected environment in which their third-party vendors are passing along info or access to another fourth party, that party shares with a fifth party, and so on. Experts in the field call this "Nth party risk." A recent study by eSentire shows that many organizations may have a false sense of security about Nth parties. About 60% of respondents to that survey say they're confident they have full visibility into Nth parties, even though just 28% are sure their vendors notify them when these third parties share data with Nth parties.
Make no mistake: Even the most technologically mature organizations are struggling to keep in check the rising force of third-party cyber-risk. Recent high-profile security incidents, such as the Facebook data leak and the ASUS Shadowhammer attack, bring home the fact that third parties can introduce tremendous risk to business operations, data security, and even the technical integrity of products and services.
Data shows that enterprises of all types are still way behind on instituting the governance and technology to wrap their arms around third-party risks, be they in the software supply chain, access governance, or data handling. And, unfortunately, some experts say the industry isn't moving the needle on third-party risk.
"The overall maturity of vendor risk management programs is virtually unchanged in the face of an increasingly challenging external risk and regulatory environment," wrote experts from Protiviti in the company's fifth annual vendor risk management survey.
For this slide show, Dark Reading took a look at data in that report as well as a number of others on third-party cyber-risk to offer insight into the current attitudes around the problem, the scope of access afforded to third parties, and the maturity level of current vendor risk management practices.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024