CIO Influence
CIO Influence News Security

Organizations Deprioritize Third-party Relationships As Potential Breach Sources, CyberGRX Study Reveals

Organizations Deprioritize Third-party Relationships As Potential Breach Sources, CyberGRX Study Reveals

CyberGRX, the provider of the world’s first and largest global risk exchange, announced the results of their commissioned study on how organizations prioritize third-party risk. Conducted by Forrester Consulting, the research comprises surveys from 319 respondents in IT, security, and risk roles covering technology, retail, oil and gas, healthcare, financial services, and other highly regulated industries. The study highlights that while organizations recognize third-party threats expose them to great risk, many organizations fail to take adequate measures to mitigate it. In fact, while they grapple with third-party cyber risk management (TPCRM), the weak points in their current mitigation strategies exacerbate the threat of cyber incidents.

Recommended ITech News:  Linux Foundation to Host the PaSh Project, Accelerating Shell Scripting with Automated Parallelization for Industrial Use Cases

The Forrester study, Why Isn’t Your Organization Prioritizing Third-Party Risk? identifies four major themes:

  1. Today’s organizations constantly exchange confidential information with third parties. This exposes both sides to significant cyber risk. These information supply lines enabled by cloud and software-as-a-service (SaaS) adoptions are expected to grow in importance for many enterprises. The percentage of data shared with third parties will ramp up over the next five years (from 30%-41% by 2026).
  2. Current third-party risk prevention strategies leave organizations vulnerable. Businesses struggle to manage the risk that their third parties present because of a lack of prioritization and a matter of approach. Ninety-five percent of respondents said their organizations experienced a strategy- or technology-based challenge in managing third-party risk. Without proper oversight, companies become vulnerable to cybersecurity threats, including data loss and ransomware.
  3. Organizations stung by third-party cyber incidents tend to ignore safe risk management practices. Organizations that have experienced a third-party cyber incident express a higher level of concern about managing such risks. However, organizations that have experienced an incident also tend to share a higher percentage of their critical data (30%) than firms that haven’t been hit (22%). And firms that have experienced an incident are less likely to have tools in place to mitigate third-party cyber risks.
  4. Mitigating third-party risk requires a different approach to strategy and technology. Organizations need to approach third-party risk with a new holistic, ecosystem-focused, and cybersecurity-focused strategic mindset. This includes updated third-party assessment analysis, standardized processes, and higher-quality technology solutions.

Recommended ITech News:  Aalpha Information Systems Launches Solutions for Remote Collaboration

“Organizations that fail to take thoughtful steps to monitor, defend, and prepare for third-party cyber incidents have undermined their entire cybersecurity posture,” said Dave Stapleton, CISO, of CyberGRX. “As the Forrester study highlights, many organizations recognize the hazards posed by third parties; however, their actions do not reflect effective mitigation. Lacking a defined TPCRM strategy creates the opportunity for a breach, even if internal risk management strategies are otherwise solid and effective.”

To improve third-party cyber risk practices, organizations must consider vendors as an extension of their own brand, and set a strict baseline and expectations for their cyber maturity. Companies should leverage data and automation to ensure that their entire supply chain will meet the outlined cyber requirements. Additionally, it is imperative to continuously monitor the changing cyber risk of vendors. As new attack vectors are unleashed, a vendor’s security posture can be rapidly altered. Finally, constant communication regarding cyber posture and compliance among all parties involved is critical and security training for employees and stakeholders should be mandatory.

Recommended ITech News:  Sophos Accelerates Growth of MSP Connect

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

Deep Instinct Threat Report: Ransomware, State-Sponsored Attacks, and AI-Powered Threats Surge in H1 2023

Business Wire

Baffle Recognized as a Sample Vendor in Gartner Hype Cycle for Privacy and Gartner Hype Cycle for Data Security

CIO Influence News Desk

DSO National Laboratories Collaborates with Red Hat to Advance DSO’s Defense Research and Development Efforts

Business Wire

Leave a Comment