While organizations recognize third-party threats expose them to great risk, many organizations fail to take adequate measures to mitigate it. In fact, while they grapple with third-party cyber risk management (TPCRM), the weak points in their current mitigation strategies exacerbate the threat of cyber incidents, a Forrester Consulting survey reveals.
Organizations constantly exchange confidential information with third parties
This exposes both sides to significant cyber risk. These information supply lines enabled by cloud and software-as-a-service (SaaS) adoptions are expected to grow in importance for many enterprises.
The percentage of data shared with third parties will ramp up over the next five years (from 30%-41% by 2026).
Current third-party risk prevention strategies leave organizations vulnerable
Businesses struggle to manage the risk that their third parties present because of a lack of prioritization and a matter of approach.
Ninety-five percent of respondents said their organizations experienced a strategy- or technology-based challenge in managing third-party risk. Without proper oversight, companies become vulnerable to cybersecurity threats, including data loss and ransomware.
Ignoring safe risk management practices
Organizations that have experienced a third-party cyber incident express a higher level of concern about managing such risks.
However, organizations that have experienced an incident also tend to share a higher percentage of their critical data (30%) than firms that haven’t been hit (22%). And firms that have experienced an incident are less likely to have tools in place to mitigate third-party cyber risks.
Mitigating third-party risk requires a different approach
Organizations need to approach third-party risk with a new holistic, ecosystem-focused, and cybersecurity-focused strategic mindset. This includes updated third-party assessment analysis, standardized processes, and higher-quality technology solutions.
“Organizations that fail to take thoughtful steps to monitor, defend, and prepare for third-party cyber incidents have undermined their entire cybersecurity posture,” said Dave Stapleton, CISO, of CyberGRX.
“As the Forrester study highlights, many organizations recognize the hazards posed by third parties; however, their actions do not reflect effective mitigation. Lacking a defined TPCRM strategy creates the opportunity for a breach, even if internal risk management strategies are otherwise solid and effective.”
How to improve third-party risk prevention practices
To improve third-party cyber risk practices, organizations must consider vendors as an extension of their own brand, and set a strict baseline and expectations for their cyber maturity. Companies should leverage data and automation to ensure that their entire supply chain will meet the outlined cyber requirements.
Additionally, it is imperative to continuously monitor the changing cyber risk of vendors. As new attack vectors are unleashed, a vendor’s security posture can be rapidly altered.
Finally, constant communication regarding cyber posture and compliance among all parties involved is critical and security training for employees and stakeholders should be mandatory.