Based on the data collected from the third parties our customers have loaded into our Exchange, we have found organizations in Technology, Telecommunications, Financial Services, and Healthcare are more likely to have mature security programs compared to other industries. On the other hand, organizations from Consumer Cyclicals (e.g. leisure, retail, restaurants), Consumer non-Cyclicals (e.g. food, alcohol, household products) and Energy (e.g. oil, gas, solar, and wind) are more likely to have the least mature programs in place.
Having analyzed the data from all completed assessments in our Exchange, CyberGRX also found that Technology, Telecommunications, Healthcare and Financial organizations are also most likely to have strong controls in place to mitigate risks associated with incident containment, threat removal, and identity authorization and authentication. It’s important to note, however, that companies described as mature may still have significant control gaps that create vulnerabilities and opportunity for a cyber incident.
Conversely, the organizations with less mature security programs—Consumer Cyclicals, Consumer non-Cyclicals and Energy—tend to have broader control gaps along with less mature programs. And, no matter the reported maturity of their security program, all industries researched reported areas of weakness—and therefore room for improvement—across the following five areas:
- Desktop and laptop protection
- Server protection
- Virtualization protection
- Data at rest protection
- Data in motion protection
In many cases, these gaps in protections are considered basic security controls. The lack thereof leaves companies—and those in their third-party ecosystem—open to risks such as ransomware attacks, website defacement, data modification, exfiltration, and malicious use of PII. All of this can put supply chains and day-to-day operations in jeopardy.
Why does this matter across all industries?
- As a recent Ponemon study found, digital transformation is driving organizations to rely on more and more third parties. Knowing that companies in certain industries are less mature or more likely to have significant gaps in their cyber security programs can be helpful in determining what to prioritize and where to focus your attention. Furthermore, while companies with low maturity may implement security controls, they may be neither effective and sustainable nor backed by institutional planning and standardization.
- COVID-19 is accelerating digital transformation and impacting the security of different industries dramatically. Given the regulatory market that healthcare companies must operate under, it is no surprise that a certain degree of organizational maturity is necessary to operate successfully in that space. But the rapid emergence of tele-medicine in 2020 and the sensitivity of Protected Health Information (PHI) introduces additional expectations and burdens on companies in that sector. Financial institutions have increased their reliance on cloud providers, and thus, must now revisit their security practices. While these industries were typically more cyber-mature, they likely have their work cut out to maintain that maturity level today.
- Security maturity doesn’t mean you are risk free. In particular, ransomware attacks against healthcare providers in recent years remind us that maturity is a broad concept and not exclusively focused on the needs of mitigating cyber threats.
What does this mean for your business?
- Prioritization and knowledge are critical in combatting the many cyber threats out there today. However, it’s important to take a realistic look at the security maturity of your organization. For example, in a recent study by Integris Software, most healthcare organizations were overly confident in their technical maturity, with 70 percent of respondents reporting they were very or extremely confident in knowing exactly where sensitive data resides.
- Employing a data first approach to your cyber security strategy can help you prioritize your resources and budget to critical areas. In this insight, we are relaying trends we are seeing firsthand across industries to highlight maturity and gaps that may indicate a need to rethink or reprioritize your third-party cyber risk management program, but actually doing so would require a deeper level of analysis across your third-party ecosystem.
Published by: The CyberGRX Analytics Team
About CyberGRX Insights
CyberGRX has been collecting third-party risk data since 2016. With over 80,000 third parties ingested and 4,500 active assessments on third parties, we not only have the world’s largest Exchange of cyber risk data, but we now have enough data to inform the industry and organizations around the world with third-party risk insights and trends. These insights were produced by analyzing this data, including data produced by recent assessments for companies in the exchange, and aggregating results into the industry sector that each company primarily services. The risk analysis used to measure inherent risk and identify control gaps relies on a custom database of threat use cases derived from a broad set of government, academic, and industry sources. These tie together threat actors, their intended outcomes, and a series of kill-chain stages employed during the attack. The kill-chains are based on the MITRE ATT&CK framework with its related taxonomy and are linked back to the controls in the CyberGRX assessment that could mitigate them. CyberGRX performs a graph-based analysis of the applicable use cases for a company’s industry, their assessment answers, and a series of scoping responses to determine how customers engage with their third parties across eight asset types (see AIR Insights™). These algorithms surface the control gaps and other risk metrics that are most relevant to each third-party.