Over the last few weeks, we've been releasing in-depth blog posts on a number of insights gleaned from data we've gathered from a sample of 4,000 third parties on the CyberGRX Exchange. To date, over 90,000 third parties have been ingested in the Exchange. Today we've officially released the full report, which you can download here.
“Organizations have a responsibility to manage third-party risk—yet struggle with solutions to adequately address it. For thousands of businesses, our standardized, data-forward approach fills this void,” said Fred Kneip, CEO, CyberGRX. “Our ability to identify and produce these insights is a testament to why our data exchange approach to TPCRM works—allowing customers to analyze and action on data so they can create an informed and cohesive risk management strategy—rather than stockpiling assessments that exist in a vacuum. We are proud to share a selection of insights drawn from our Exchange to support all organizations in identifying and prioritizing cyber risks so they can take necessary steps to reduce it.”
Today, organizations of all sizes and spanning enterprise markets participate on the Exchange, supplying valuable data to extract insights. One such participant utilizing the Exchange for TPCRM is Dave Estlick, CISO at Chipotle. “CyberGRX's approach to TPCRM has really changed the game for risk management,” says Estlick. “This shift from static spreadsheets to structured data and analytics enables rapid and informed decision making—and these insights from the Exchange are an example of how this approach will truly inform not just CISO's, but the market, on how to reduce third-party risk."
The report, CyberGRX Exchange Insights: Volume One, identifies five key insights:
Insight 1: Twenty percent of an organization’s third parties are high risk.
Based on the third-party population ingested by enterprise customers, on average, 20% of an enterprise’s third-party portfolio pose high inherent risk. This means that if these third parties become compromised or unavailable, the fallout of that event will have a high impact on the enterprise. Unlike Residual Risk, Inherent Risk is the risk absent any security controls, but it is critical in helping organizations identify where to focus their due diligence efforts.
Insight 2: Third parties in certain industries are more likely to have mature cyber security programs, but still have significant gaps.
Organizations in the Financial, Technology, Telecom, and Healthcare industries are oftentimes third parties themselves. These third parties tend to have strong controls in place to mitigate risks associated with incident containment, threat removal, and identity authorization and authentication.
Insight 3: Company size correlates with security maturity and coverage.
Larger organizations do not necessarily equate to greater risk. In fact, as companies get smaller, data shows they have fewer controls in place and less mature programs. These smaller companies can retain significant access to sensitive data and systems, and it should not be assumed they pose less risk.
Insight 4: The most common third-party security gaps are desktop and laptop protection, server protection and virtualization protection (on-premise or cloud-based).
No matter the reported maturity of their security program, all industries researched reported areas of weakness across the following five areas: desktop and laptop protection; server protection; virtualization protection (on-premise or cloud-based); data at rest protection; and data in motion protection. These gaps in protections are considered basic security controls. The lack thereof leaves companies—and those in their third-party ecosystem—open to risks such as ransomware attacks, website defacement, data modification, exfiltration, and malicious use of PII.
Insight 5: Organizations tend to focus on the same set of vendors, but it is often the vendors they aren’t looking at that pose the greatest risk.
Many companies tend to focus on the same set of third parties, and often on their larger third parties when they determine who to assess. But according to CyberGRX data, vendors with a history of being assessed are incentivized to improve, and often have more mature security programs in place. Whereas, smaller or lesser known companies may pose significant risk. This finding makes it evident that using a scalable and repeatable approach that allows companies to review deeper layers of their vendor ecosystem is critical, because that is where significant risk often sits.
Why This Matters
According to a 2020 Ponemon survey, the typical enterprise has an average of 5,800 third parties, and that number is expected to grow by 15 percent in the next year. As digital transformation continues to drive increased reliance on third parties, the criticality of third-party cyber risk management will only increase.
Our Exchange Insights illustrate the incredible value of data to drive the prioritization and reduction of third-party risk. Replacing false positives and static assessments with standardized, validated data and insights empowers organizations to better understand their third-party ecosystem and transition from simply assessment collection to robust risk management.
Click to download CyberGRX Exchange Insights: Volume One