Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:30 PM
Connect Directly

Enterprises Thirsting For Third-Party Threat Data

New report shows enterprises more heavily weighing risks of data loss and cyber attacks in evaluation process.

The risk of data loss and cyberattacks at the hands of third parties is changing the way businesses evaluate their suppliers and partners, according to a new study by Forrester Consulting conducted on behalf of BitSight. The study shows that as pressure from regulators and security frameworks ratchets up, enterprises are looking for better ways to institute third-party oversight while still keeping line-of-business objectives in mind.

"As such, there is significant appetite for monitoring various elements of third-party security, yet few firms have the resources to do so with adequate frequency or objectivity," Forrester reported.

Over one in five dollars spent in IT today are allocated for third-party suppliers, according to the report. That's equal to $270 billion spent annually in the US alone.

Security concerns for managing third-party risk outpace concerns about actually delivering the product they'd been hired to provide. The biggest concerns revolve around the risk of losing or exposing company data, for which 63 percent reported they'd be interested in tracking and managing, and the risk of cyberattack added by that supplier, for which 62 percent of organizations would be interested in tracking and managing. That's compared with just 55 percent of organizations seeking to track and manage how well the supplier can deliver the quality and timeliness of services as contracted.

"IT decision-makers aren’t just looking at the strategic value of their third-party relationships. In fact, they’re very interested in getting down to brass tacks," the report said.

This is not surprising given IT organizations' overall security objectives in the next 12 months. Approximately 79 percent of decision-makers reported that ensuring business partners and third-parties comply with the organization's security requirements is a top security priority. The only two higher priorities were achieving regulatory compliance and addressing existing threats and vulnerabilities, both of which could arguably be wrapped up in the third-party risk equation.

The study showed that the most valuable types of information for tracking third-party risk would be how well those parties manage threats and vulnerabilities, how secure their encryption policies and procedures are, and how effective their security incident response processes are.

However, the reality is that most organizations today are not tracking these and other security-related metrics with near the frequency that they would like to.

"Across the nine types of third-party information we surveyed IT security decision-makers on, an average of 59% indicated a desire to track and monitor," Forrester noted. "Yet across those same nine information types, an average of only 22% were tracking with monthly or greater frequency."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/9/2015 | 12:13:41 PM
Third-party management and data security
Interesting article,Third-party management  should be audited frequently to avoid vulnerabilities on the information that is shared  to ensure that companies are not facing cyber attacks. I came across this infograph that readers will find  very interesting.   bit.ly/mcgldrydatabreach
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.