Third-Party Cyber Risk Looms Large for Companies with Outside Service Providers, Part 1

In this three-part series, we report on a just-released CyberRisk Alliance survey titled Third Party Risk: A Turbulent Outlook: Findings from a December 2021 Research Study, sponsored by Trava. Here, we reflect on the state of the industry when it comes to third-party cyber risk.

Are you confident in your company’s cyber security? What about that of your vendors, partners, brokers, contractors, distributors, agents, and resellers? Any company with outside service providers and software with privileged access is vulnerable to cyberattack. If your partner organization has network permissions, its risk can become your own. 

Hackers know the best way to get to a big target may be through a smaller one. But how aware of this risk are the companies themselves? To determine where businesses stand when it comes to third-party cyber risk, CyberRisk Alliance surveyed 301 IT and cybersecurity professionals whose organizations worked with third-party partners. Two-thirds of those surveyed worked for organizations of 1,000 employees or less. Most (86%) had security teams of 20 or fewer, and 14% had larger security operations centers.

Perhaps it should be no surprise that 95% reported partnerships with IT software, platform, or service providers, “suggesting a growing reliance on technology companies that historically secure code by default, not design, in a rush to market,” according to the survey. In all, 76% of respondents had up to 25 different partners; one in six large or enterprise organizations had more than 50. 

Third Party Risk: A Turbulent Outlook revealed the following findings:

• 60% of respondents had experienced an IT security incident in the past two years due to a third-party partner with access privileges and were most likely to have sensitive data stolen or suffered some type of business outage. 
  

• While 52% of those who experienced third-party related attacks indicated they lost less than $100,000 in damages, another 45% incurred higher costs, with a few paying $1 million or more.
  
  
• 70% of respondents ranked cyber the No. 1 or No. 2 risk among their third-party/supply chain partners.
  
  
• Supply chain visibility is more essential than prior to the pandemic. Almost everyone wanted this ability, with 72% believing that tracking components, sub-assemblies, and final products was very or critically important.
  
  
• More than three out of four (76%) rated managing third-party risk as a high or critical priority at their organizations—for most respondents (74%) this priority has increased in importance since 2020, when the pandemic created major micro and macro business disruptions, including supply and workforce shortages.
  
  
• Nearly half of all respondents (45%) said they implement the guidelines within the NIST Cybersecurity Framework in their third-party vendors assessments. Despite current challenges, organizations expect to improve their third-party risk management programs in the coming year. Budget spending is increasing for nearly half (49%) of all organizations, reflecting the growing importance of better third-party risk management to decrease the chance of a data breach or business disruption due to someone else’s poor security posture. 

Fortunately, organizations are finding ways to identify and mitigate the risks third parties create. In part two of this series, we examine survey respondents greatest concerns about third-party cyber risk. In part three, we present the top seven third-party risk management practices employed by organizations surveyed. 

Source: CyberRisk Alliance, Third Party Risk: A Turbulent Outlook: Findings from a December 2021 Research Study, January 2022. Download the report.