Operating with the assistance of third parties has become a fact of life for the modern-day organization as organizations have on average at least 10 third-party relationships at any given time. While teaming up with various third parties has become essential to effectively and efficiently conducting business, new data obtained by Security ScoreCard shows that operating with third parties can cause significant risk to cybersecurity.
The study analyzed 235,000 primary organizations and more than 73,000 third and fourth parties and found that 98% of organizations across the globe have a relationship with a third party that has experienced a cyber breach within the past two years. In addition, 50% of organizations globally have a relationship with a fourth party that has experienced a cyber breach over the same timeframe.
The cause for this appears to simply be a lack of proper cybersecurity practices further down the supply chain. These party vendors are estimated to be five times more likely to have a weaker cybersecurity framework than that of the primary organizations. This number only increases with fourth or fifth-party vendors.
This data shows that every time a primary organization chooses to partner with a third-party, they are exposing themselves to cyber risk. Granted, a breached third party does not necessarily mean that the primary organization will experience a data breach as well, but with every third party, the opportunity becomes more likely.
With this in mind, it is critical for organizations to optimize their third-party risk management framework. Organizations can no longer solely rely on the effectiveness of their own cybersecurity practices but must ensure that third-party vendors are doing their own due diligence to prevent such a breach.In order to do this organizations should consider the following:
· Vendor Vetting. During the onboarding process, it is critical that primary organizations undergo athorough and in-depth vetting process. Cybersecurity is one of the leadingrisks that third-party vendors pose to primary organizations and thus must be atop priority when vetting a potential vendor. Clearly understanding a thirdparty’s priorities and skills while also understanding their weaknesses cangreatly enhance the ability of organizations to cooperate with one anotherwhile understanding where their risk exposures reside. This can also allow forbetter-informed decision-making by having a clear image of the risk and rewardsof working with a specific vendor.
· Vendor Visibility. The vetting process does not end with the onboarding process either. Primary organizations must continuously monitor their third-party relationships to ensure that these vendors are continuously maintaining up-to-date cybersecurity practices. By continuously monitoring third-party relationships, as well as fourth and fifth, organizations can gain a better understanding of when it might be time to seek a relationship with a new vendor.
· Vendor Cooperation. Vendor monitoring does not always have to result in a replacement; however, by analyzing third parties the primary organization can obtain greater visibility into the weaknesses of a third-party vendor and can then make an effort to improve the vendor's cybersecurity framework. Establishing open lines of communication between one another can allow for both the primary organization and the third party to establish a common ground of cybersecurity policies and procedures thus greatly reducing the risk of a breach.
Cybersecurity continues to be one of the leading threats facing organizations. Unfortunately, with the necessity of utilizing third parties to operate effectively, organizations are only exposing themselves to greater cyber risk. With this in mind, it is critical for organizations to dedicate the time and resources to ensuring that their third-party vendors follow up-to-date and effective cybersecurity practices. If organizations fail to do so a cyber breach is likely to occur.