Our evaluation of third parties measures the overall maturity of a third-party's security program as well as the existence and effectiveness of security controls to mitigate risk. Based on the data collected from the third parties on our Exchange, we found that company size correlates with the maturity of their cybersecurity program, more specifically, as companies get smaller, they have fewer controls in place and less mature programs.
Do larger organizations mean greater risk?
Not necessarily. While all third parties require some level of due diligence, it’s important to engage with the small and mid-sized third parties that you may have assumed pose less risk. These third parties can have significant access to sensitive data and systems and as our data shows, they are often less mature and have lower levels of security control coverage, which are safeguards in place to avoid and/or minimize security risks.
According to a recent Ponemon report, the average organization works with nearly 6000 third parties, and that number is expected to rise by 15 percent over the next year. Due to the sudden and necessary global shift to teleworking, organizations have had to rapidly deploy remote systems, networks, and applications.
As a result, criminals are taking advantage of the increased security vulnerabilities to steal data, generate profits, and cause disruption. In fact, a different Ponemon report states that 82 percent of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate.
Because of this, when you have thousands of third parties in your vendor ecosystem, it becomes challenging—though more important than ever—to know each organization’s control coverage, which is an indication of which Strategic, Operational, Core, and Management controls a third party has in place.
There are four categories of control coverage that our data covers:
- Strategic controls address cybersecurity and privacy policies, planning, and governance
- Operational controls cover everyday security activities such as threat analysis, incident response, and vulnerability management
- Core controls are made up of technical safeguards like data encryption, key management, and endpoint protection
- Management controls focus on security-related processes or functions such as configuration and change management or third-party risk management
Coverage indicates the degree to which controls have been implemented but does not reveal, in high resolution, their overall effectiveness. A CyberGRX Tier 1 assessment reaches deeply into the coverage, strength, and timeliness of controls to get a thorough understanding of how well each one has been implemented in practice. A control that has no coverage will be ineffective. But a control that has been implemented may still be insufficiently effective to prevent an attack.
Company size vs. control group
According to our Exchange Insights data, the greatest disparity in coverage by company size is in the Management and Core control groups.
Companies with $100M to $10B in revenue have similar coverage levels in terms of Strategic and Operational controls (approaching 100% coverage). This means that companies of this size are prepared and have nearly total control coverage when it comes to areas like cybersecurity and privacy policies as well as threat analysis, incident response, and vulnerability management.
Companies with $1B revenue and above have greater coverage of Core (95%) and Management controls (100%) versus their counterparts in the $100M-$250M range who have 90% coverage of Core controls and close to 95% coverage of Management controls.
The real difference comes when we look at smaller companies, however. Companies with revenues of $1M-$10M have lower coverage across all control groups, particularly in Core controls (82%) and Management controls (78%). This is where doing complete due diligence of all vendors, regard less of size, comes into play. Remember, you can’t assume that just because a company is small, it poses less risk.
Maturity levels & company revenue
Due to the disparity in control coverage discussed above, the data also shows that as company revenue declines, so does the overall maturity level of its security program.
We determine maturity level by asking seven questions that evaluate the people, processes, and technologies that impact the efficacy of each security control group. We then rate maturity on a scale of 0-5 with 5 being the most mature, meaning these companies have programs that are efficient, scalable, and adaptable.
According to the data, the overall maturity for companies with $10B or more in revenue is 4.4 out of 5. As you move down in revenue to the $250M range, maturity drops to 3.8 and if you continue down to the $10M revenue range, maturity drops to 2.9. Across the CyberGRX Exchange of assessed third party companies, the average maturity level is 3.5.
One potential reason for larger companies having higher maturity ratings is that they have more established business processes and organizational structure than their smaller counterparts. According to a report by Deloitte, there are three characteristics of companies with mature cybersecurity programs: leadership and board involvement, the entire organization being aware of cybersecurity practices, and the fact that the program closely aligns with business strategy.
What this means for your business
It’s important that organizations not only do their due diligence for all the vendors in their portfolio—regardless of size—but also that they take a holistic approach to third-party cyber risk management. Just paying attention to surface-level cybersecurity data or performing outside-in scanning, for example, is only the tip of the iceberg. In order to get complete visibility into the cyber health of third parties, companies should know the maturity levels of the vendors’ security programs because having programs that are efficient, scalable, and adaptable means more security for your business as well.