Organizations Deprioritize Third-Party Relationships as Potential Breach Sources, CyberGRX Study Reveals 

By CyberGRX
mark

forrester

We're excited to announce the results of our commissioned study on how organizations prioritize third-party risk!

Conducted by Forrester Consulting, the research comprises surveys from 319 respondents in IT, security, and risk roles covering technology, retail, oil and gas, healthcare, financial services, and other highly regulated industries. The study highlights that while organizations recognize third-party threats expose them to great risk, many organizations fail to take adequate measures to mitigate it. In fact, while they grapple with third-party cyber risk management (TPCRM), the weak points in their current mitigation strategies exacerbate the threat of cyber incidents. 

The Forrester study, Why Isn’t Your Organization Prioritizing Third-Party Risk?, identifies four major themes:

  1. Today’s organizations constantly exchange confidential information with third parties. This exposes both sides to significant cyber risk. These information supply lines enabled by cloud and software-as-a-service (SaaS) adoptions are expected to grow in importance for many enterprises. The percentage of data shared with third parties will ramp up over the next five years (from 30%-41% by 2026). 
  2. Current third-party risk prevention strategies leave organizations vulnerable. Businesses struggle to manage the risk that their third parties present because of a lack of prioritization and a matter of approach. Ninety-five percent of respondents said their organizations experienced a strategy- or technology-based challenge in managing third-party risk. Without proper oversight, companies become vulnerable to cybersecurity threats, including data loss and ransomware. 
  3. Organizations stung by third-party cyber incidents tend to ignore safe risk management practices. Organizations that have experienced a third-party cyber incident express a higher level of concern about managing such risks. However, organizations that have experienced an incident also tend to share a higher percentage of their critical data (30%) than firms that haven’t been hit (22%). And firms that have experienced an incident are less likely to have tools in place to mitigate third-party cyber risks.
  4. Mitigating third-party risk requires a different approach to strategy and technology. Organizations need to approach third-party risk with a new holistic, ecosystem-focused, and cybersecurity-focused strategic mindset. This includes updated third-party assessment analysis, standardized processes, and higher-quality technology solutions. 

 “Organizations that fail to take thoughtful steps to monitor, defend, and prepare for third-party cyber incidents have undermined their entire cybersecurity posture,” said Dave Stapleton, CISO, of CyberGRX. “As the Forrester study highlights, many organizations recognize the hazards posed by third parties; however, their actions do not reflect effective mitigation. Lacking a defined TPCRM strategy creates the opportunity for a breach, even if internal risk management strategies are otherwise solid and effective.”

To improve third-party cyber risk practices, organizations must consider vendors as an extension of their own brand, and set a strict baseline and expectations for their cyber maturity. Companies should leverage data and automation to ensure that their entire supply chain will meet the outlined cyber requirements. Additionally, it is imperative to continuously monitor the changing cyber risk of vendors. As new attack vectors are unleashed, a vendor’s security posture can be rapidly altered. Finally, constant communication regarding cyber posture and compliance among all parties involved is critical and security training for employees and stakeholders should be mandatory.

CyberGRX’s Chief Information Security Officer, Dave Stapleton, and guest speaker, Forrester principal analyst Renee Murphy will present key findings and recommendations from the research during a webinar on Tuesday, October 12 at 2:00 pm EDT. To learn more:



Download the report

Attend the Webinar

CyberGRX

Mark
Mark

Join 10,000+ risk professionals who subscribe to the CyberGRX Newsletter