A CyberGRX report reveals trends and challenges organizations of all sizes face in combating third-party cyber risk today. Each insight was gleaned from proprietary assessment data gathered from a sample of 4,000 third parties.
Twenty percent of an organization’s third parties are high risk
Based on the third-party population ingested by enterprise customers, on average, 20% of an enterprise’s third-party portfolio pose high inherent risk. This means that if these third parties become compromised or unavailable, the fallout of that event will have a high impact on the enterprise.
Unlike residual risk, inherent risk is the risk absent any security controls, but it is critical in helping organizations identify where to focus their due diligence efforts.
Third parties in certain industries still have significant gaps
Third parties in certain industries are more likely to have mature cybersecurity programs, but still have significant gaps. Organizations in the financial, technology, telecom, and healthcare industries are oftentimes third parties themselves.
These third parties tend to have strong controls in place to mitigate risks associated with incident containment, threat removal, and identity authorization and authentication.
Company size correlates with security maturity and coverage
Larger organizations do not necessarily equate to greater risk. In fact, as companies get smaller, data shows they have fewer controls in place and less mature programs.
These smaller companies can retain significant access to sensitive data and systems, and it should not be assumed they pose less risk.
The most common third-party security gaps
The most common third-party security gaps are desktop and laptop protection, server protection and virtualization protection (on-premise or cloud-based).
No matter the reported maturity of their security program, all industries researched reported areas of weakness across the following five areas: desktop and laptop protection; server protection; virtualization protection (on-premise or cloud-based); data at rest protection; and data in motion protection.
These gaps in protections are considered basic security controls. The lack thereof leaves companies—and those in their third-party ecosystem—open to risks such as ransomware attacks, website defacement, data modification, exfiltration, and malicious use of PII.
Vendors posing the greatest risk
Organizations tend to focus on the same set of vendors, but it is often the vendors they aren’t looking at that pose the greatest risk. Many companies tend to focus on the same set of third parties, and often on their larger third parties when they determine who to assess.
But according to research data, vendors with a history of being assessed are incentivized to improve, and often have more mature security programs in place. Whereas, smaller or lesser known companies may pose significant risk.
This finding makes it evident that using a scalable and repeatable approach that allows companies to review deeper layers of their vendor ecosystem is critical, because that is where significant risk often sits.
Why this matters
According to a 2020 Ponemon survey, the typical enterprise has an average of 5,800 third parties, and that number is expected to grow by 15 percent in the next year. As digital transformation continues to drive increased reliance on third parties, the criticality of third-party cyber risk management will only increase.
The report illustrates the incredible value of data to drive the prioritization and reduction of third-party risk. Replacing false positives and static assessments with standardized, validated data and insights empowers organizations to better understand their third-party ecosystem and transition from simply assessment collection to robust risk management.