Cybersecurity is forever here. Yet, organizations tend to only look at the technology they own and control when it comes to attack surfaces. That is poor cybersecurity practice as attacks can happen from a third-party risk.
To summarize, a third-party risk is any risk brought on to an organization by external parties in its ecosystem or supply chain. This can be from vendors, suppliers, partners, contractors or service providers. If they have access to internal company or customer data, systems, processes or other privileged information, they are a risk and should be monitored as part of an attack surface.
It’s imperative that organizations monitor third-party and fourth-party risks because research from SecurityScorecard and The Cyentia Institute states that 98% of organizations have vendor relationships with at least one third-party that experienced a breach in the last two years. The study also found that half of organizations have indirect relationships with at least 200 breached fourth-party vendors in the last two years.
The survey isn’t out there to ring the alarm bells and start a witch hunt on certain external parties. It’s more of a reminder that organizations not only need to monitor their technology and infrastructure, they also need to gain better insights of third- and fourth-parties' security.
“Organizations need visibility into the security ratings of their entire third- and fourth-party ecosystem so that they can know in an instant whether an organization deserves their trust and can take proactive steps to mitigate risk,” said Aleksandr Yampolskiy (News - Alert), co-founder and CEO of SecurityScorecard.
The research also provided insights on ways to mitigate risks when it comes to third and fourth parties. The more third-party vendors in a supply chain means more risks, and the risk gets worse when companies are in third-party relationships with vendors around various countries.
This obviously makes sense, but one would be surprised as to what organizations are actually doing. According to the research, for every third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth-party relationships. Third-party vendors are five times more likely to exhibit poor security, and approximately 10% of third-party vendors receive an F rating among organizations that earn an A rating for their own security posture.
When it comes to the regional dimension, SecurityScorecard found that 59% of organizations have vendors from five or fewer countries, while roughly 14% work with vendors spanning 10 or more countries.
The high number of relationships – and across multiple regions – an organization has, the more they are at risk of a cyberattack.
“SecurityScorecard’s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have,” said Wade Baker, partner and co-founder at The Cyentia Institute. “Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk.”
Organizations that have full visibility of the security posture of third and fourth parties are more likely to mitigate risks as all involved can address cybersecurity gaps.
Edited by Greg Tavarez