Based on the data collected from the third parties our customers have loaded into the CyberGRX Exchange, on average, 20% of an enterprise’s third-party portfolio exhibits a high inherent risk profile. Inherent risk is the risk that exists absent of any security controls—and determining it is critical to helping organizations identify who to focus their assessment efforts on.
This means that 20% of organization’s third parties are likely to have a cyber event that would expose them to business harm, and the impact of that event will be significant to the enterprise. See below as we break down these numbers and what they mean for businesses, third-party partners and supply chain systems around the world as the risk of cyber pandemics continues to rise.
Why does this 20% matter?
1. When you consider that the typical enterprise has an average of 5,800 third parties, that is a significant amount of risk that requires, at a minimum, some level of due diligence.
We conducted a study with Ponemon in 2020 surveying nearly 900 respondents about the impact digital transformation has on their organization. And the biggest impact reported? Increased reliance on third parties—such as cloud providers, IoT and Shadow IT. This study found that organizations currently have an average of 5,800 third parties and they expect this number to grow by 15% in the next year. So, the challenge will only continue to grow if left unchecked.
2. Then consider that over 50% of organizations believe they are ineffective at conducting the due diligence on their current third parties.
This stat was also reported during the Ponemon survey, and, independently, a recent study from PWC found "only 42% of medium and large Financial Services (FS) institutions say they assessed the security of third-party outsourcers—and only 38% say they began monitoring fourth-party relationships in the last year. While 59% of medium and large FS institutions say they plan to increase spending on third-party risk management over the next 12 months, which is a notable uptick compared to the last two years, increased spending is not a silver bullet without proper strategy."
3. With the acceleration of digital transformation in the last year, we anticipate that most organizations’ third-party populations are going to grow – which means a larger population of third parties that will require attention and won’t get it.
But don’t just take our word for it. A CoalFire study found that "As companies continue to prioritize digital transformation, it's often difficult to see the cyber risks within their networks when working with third-party providers to do so.” This study also states that “the influx of high-profile cyberattacks we've seen in recent years, in which companies' networks were breached via a third-party, demonstrate it's critical for companies to develop a holistic understanding of their internal and external security postures."
What does this mean for you?
It means, if your third-party security isn’t on your radar (we’re talking to you, C Suite) or a top priority, we are giving you a few reasons why it should be—sooner rather than later. Our collective reliance on third parties isn’t going away, and the first step to a mature third-party program is simply identifying who your third parties are and understanding their inherent risk. Once you know which ones pose you the most inherent risk, you can move forward with due diligence and assessing to determine if they have the proper security controls in place to mitigate that risk. But you have to start somewhere, and we believe that is inherent risk.
How CyberGRX Can Help
The CyberGRX team determines inherent risk to gauge business exposure in two ways. First, we build profiles on third-party types using a combination of responses to eight business impact questions the enterprise completes. Second, we deploy our automated inherent risk tool, CyberGRX AIR Insights™, that applies statistics and constantly updates that data. AIR Insights helps generate a business exposure score based on how similar third parties have been rated before by looking at Thomson Reuters business classifications. Organizations can use these insights as an initial guide, customizing the business impact questions as needed based on their own engagement to get a more accurate business exposure estimate.
Adam Gray - Data Scientist
Joe Marques - Data Miner & Software Architect
Dan Tobin - Analytics Director
About CyberGRX Insights
CyberGRX has been collecting third-party risk data since 2015. With over 85,000 third parties ingested and 4,500 active assessments on third parties, we not only have the world’s largest Exchange of cyber risk data, but we now have enough data to inform the industry and organizations around the world with third-party risk insights and trends. These insights were produced by analyzing this data, including data produced by recent assessments for companies in the exchange, and aggregating results into the industry sector that each company primarily services.
The risk analysis used to measure inherent risk and identify control gaps relies on a custom database of threat use cases derived from a broad set of government, academic, and industry sources. These tie together threat actors, their intended outcomes, and a series of kill-chain stages employed during the attack. The kill-chains are based on the MITRE ATT&CK framework with its related taxonomy and are linked back to the controls in the CyberGRX assessment that could mitigate them.
CyberGRX performs a graph-based analysis of the applicable use cases for a company’s industry, their assessment answers, and a series of scoping responses to determine how customers engage with their third parties across eight asset types (see AIR Insights™). These algorithms surface the control gaps and other risk metrics that are most relevant to each third party.