The Ponemon Institute surveyed more than 1,000 CISOs and other security and risk professionals across the US and UK to understand the challenges companies face in protecting sensitive and confidential information shared with third-party vendors and partners.
According to the findings, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent — up 5 percent over last year’s study and a 12 percent increase since 2016.
What’s more, many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months. Overall, more than three-quarters of organizations believe that third-party cybersecurity incidents are increasing.
A key contributing factor is the growing complexity of the third-party landscape. Companies continue to increase their reliance on third parties and, on average, share confidential and sensitive information with approximately 583 third parties. Yet, only 34 percent keep a comprehensive inventory of these third parties, a statistic that’s even worse for Nth parties, at 15 percent.
Sixty-nine percent of respondents indicated that a lack of centralized control was the key reason for not having the comprehensive inventory. Additional key reasons included lack of resources and the complexity of third-party relationships.
Furthermore, less than half of all companies say managing third-party relationship risks is effective and a priority within their organization. Only 37 percent indicate that they have sufficient resources to manage third-party relationships and only 35 percent rate their third-party risk management program as highly effective. More than half of companies do not know if their organizations’ vendor safeguards are enough to prevent a breach.
“The third-party ecosystem is an ideal environment for cyber criminals looking to infiltrate an organization, and the risk only grows as these networks become larger and more complex,” said Dov Goldman, VP, Innovation & Alliances of Opus. “To stay ahead of the risk, companies and executives need to collaborate around plans for third-party detection and mitigation that supports automated technology and strong governance practices.”
The study also included a special analysis of those organizations that have been able to avoid a third-party data breach in the past 12 months (36 percent) or ever (32 percent). These high-performing organizations implemented governance and IT security best practices that were strongly correlated with a reduced incidence of third-party data breaches:
- Evaluation of the security and privacy practices of all third parties – Conduct regular audit and assessments to evaluate security and privacy practices of third parties.
- An inventory of all third parties with whom you share information – Track all third parties that have access to sensitive data and how many of these parties are sharing this data with others.
- Frequent review of third-party management policies and programs – Implement formal processes to regularly evaluate security and privacy practices of third and Nth parties, particularly to address new technologies and innovations like Internet of Things devices.
- Third party notification when data is shared with Nth parties – Mandate that third parties provide information and transparency into their Nth party relationships prior to sharing sensitive data.
- Oversight by the board of directors – Involve senior leadership and boards of directors in third-party risk management programs. High-level attention to third-party risk may increase the budget available to address these threats.
“While corporate executives understand the implications of a data breach or cyberattack to their business, far fewer are aware of the source of these attacks and the vulnerabilities that their organizations need to address to properly secure their data,” commented Dr. Larry Ponemon. “Considering the explosive growth of outsourced technology services and the rising the volume of third parties, companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.”