The increasing demand for technology solutions in an era of digital transformation presents both opportunities and challenges. Recent survey data from the Flexera 2022 Tech Spend Pulse report shows that 71% of companies anticipate a rise in their IT budgets year after year. How will they spend it?
- 74% will focus on digital transformation initiatives
- 73% will allocate resources to cybersecurity
- 65% plan to migrate to the cloud
This is all good news for technology companies (or at least the sales teams)! The expanding market brings promising prospects as more businesses seek to enhance their existing solutions or implement new services, AKA additional avenues for revenue generation. However, alongside these opportunities, technology companies need to be aware of the challenges in managing an expanding ecosystem and first- and third-party risks. Malicious actors view connected technology solutions as potential gateways to access enterprise and small business data, thereby intensifying the need for effective cyber risk management.
In this article, we will examine some of the primary cyber risk management challenges the technology industry encounters and explore potential steps that tech companies can take to mitigate the risk of compromise.
Crashing the Party
When it comes to cyber risk management, parties cause problems. Specifically, tech companies face more pressure with first-party data management and its analog, third-party data management.
First-party issues are related to services and data hosted, managed, and utilized directly by a technology company. For example, financial records stored on local servers and managed by legacy applications are a form of first-party data.
Third-party data challenges, meanwhile, are related to data collected, handled, or processed by third-party providers. These providers are now commonplace for tech industry firms as they look to compete in a global marketplace where customers expect consistent service and support regardless of their physical location. As a result, technology companies may partner with design, development, analytics, and security firms to streamline the process of service and solution delivery — but just as these partnerships offer substantive benefits for businesses, they also come with potential drawbacks.
First-Party Problems: Issues in Isolation
First up are first-party problems. As noted by the IBM Security X-Force Threat Intelligence Index 2023, attackers are increasing their speed and sophistication to compromise first-party data. Consider that in 2020, the average ransomware deployment time was 9.5 days. A year later, this number dropped to just 3.85 days– bad actors are getting more adept– and not in a good way. What's more, just 26% of attacks used came with known exploits, meaning attackers are thinking outside the box to attack you in new ways and break down your business defenses.
Data breaches are also getting more expensive. According to the 2022 Cost of a Data Breach report, the average data breach cost in the United States is now more than $9.4 million. For technology companies managing first-party data such as intellectual property (IP), accounts payable (AP), or financial information, these breaches are about more than money– if clients don't trust businesses to protect their own data in-house, they're unlikely to trust these companies to deliver critical IT services.
The silver lining? If businesses can keep the scope of data breaches contained to local servers, they can limit the risk to clients. While these issues in isolation can be costly for companies to address and remediate, the overall impact can be minimized with effective incident response.
Third-Party Impacts: Security Breaches at Scale
On the third-party side of the equation, meanwhile, security breaches mean significant problems for businesses at scale.
Third-party risk stems from the sheer volume of third-party providers now used by tech firms to help manage operations and streamline tasks. According to a recent Global Cyber Executive Briefing from Deloitte, not only do technology firms "generally have a higher risk appetite than their counterparts in other sectors," but also tend to adopt new technologies — such as cutting-edge mobile devices and emerging applications — earlier than companies in other industries. The result is a third-party protection landscape informed by the inherent risk of any third-party service and the uncertainty that comes with emerging and often untested solutions.
Technology firms generally have a higher risk appetite than their counterparts in other sectors.
As noted by research firm Gartner, third-party risk management "misses" — or problems in third-party management that lead to incidents — are actively hurting organizations. Consider that in 84% of cases where risk management programs didn't hit the mark, business operations were disrupted. The survey data also showed that:
- 66% of misses led to a negative financial impact
- 59% caused an adverse reputational impact
- 33% resulted in regulatory action taken by governing or standards-making bodies.
Third-party breaches also come with the problem of lateral movement. Data from VMWare's Global Incident Response Threat Report 2022 found that lateral movement appeared in 25% of all attacks recorded. This means that in one of four cases, attackers aren't simply looking to compromise company data hosted or managed by third parties, but are trying to move laterally across networks to access servers and data closer to home.
Third-Party Risk Management (TPRM): Challenges and Best Practices
Despite the growing risk of third-party attacks, most technology companies lack the strategy and solutions to manage cyber risk effectively.
This isn't to say they don't recognize the risk. Far from it — organizations acknowledge the role of security assessments in regulatory due diligence and as part of the application process for cybersecurity insurance. With attacks on the rise, cyber insurance companies have adopted a much stricter approach to cyber hygiene that requires companies to prove their processes are up to par rather than taking them at their word.
The problem? These risk evaluations typically take one of two forms: security ratings tools or spreadsheet assessments. While both of these approaches offer a moment-in-time summary of third-party risk, they're incapable of providing near- or real-time data. As a result, decisions made based on outside-in scanning provided by security rating tools, or questionnaires answered months ago by third parties and managed in spreadsheets, may not be effective in countermanding third-party threats.
Best case scenario? New threats are similar to old ones, and companies suffer minimal losses. Worst case? Evolving attack vectors circumvent third-party security, help hackers access local servers, and allow them to compromise critical, first-party data. It's no surprise that 54% of organizations feel that spreadsheet assessments provide little value, and just 8% result in action. This means that while assessments may be enough to secure insurance, they're not enough to inform protective action.
RELATED: Security Assessments: Waste of Time or Worth It?
To effectively manage cyber risk across both first- and third-party environments, technology firms need a TPRM solution capable of identifying third parties that pose the greatest risk, prioritizing these vendors, and then helping teams to apply the right level of due diligence to mitigate that risk.
A risk management platform with standardized data (such as CyberGRX) also enables technology organizations to trend data and pinpoint product suppliers, vendors, or service providers that exceed acceptable risk levels.
When it comes to TPRM best practices, three components are critical:
Identification and Assessment
Effective TPRM requires identifying third-party risks and assessing their overall impact. Given that 20% of third parties used by organizations are typically considered high-risk, identification and assessment are essential to help companies prioritize protective action or take steps to remove third parties from active service.
Analysis and Reporting
Total risk isn't defined simply by current third-party risk — it's also connected to industry-wide threat industry data. For example, companies in the technology sector now face the increased risk of ransomware-as-a-service (RaaS) threats that see low-skilled actors purchasing pre-built attack kits on the Dark Web. Not only do these kits help them breach third-party defenses, but many also come with customer support from malicious actors in case of implementation problems or early detection.
Security teams are better prepared to take action when equipped with an understanding of current threats and their role in potential breaches.
Monitoring and Security
Finally, tech firms need tools capable of continuous monitoring and security. Given the dynamic nature of both attack surfaces and attack vectors, especially as companies layer on more third-party services to streamline operations, businesses need to know what's happening across their environment at any given moment — and need solutions capable of taking action when issues emerge to help reduce total risk.
Party Time is Over
First- and third-party data risks aren't going away. But technology companies can frustrate attacker efforts to get in on the action with TPRM strategies that deliver complete visibility, prioritize real-time results, and allow companies to adapt on-demand.
See how CyberGRX can help to pinpoint and mitigate your third-party cyber risks. Get started today.