Panorays is focused on third-party security management – that is, the security posture of suppliers, vendors, partners and others doing business with an organization. But there’s yet another level that all businesses need to be concerned with – the partners and suppliers of their third parties, which are better known as fourth parties. We found that there is a direct correlation between the security posture of the third party and its fourth parties.
Each third-party organization relies on dozens, if not hundreds, of additional fourth parties. In our new research, we mapped myriads of connections between third and fourth parties, including their cyber posture ratings, to understand whether any correlation exists.
During the cyber posture assessment of a company, Panorays automatically discovers all of the company’s digital assets, including domains and IP addresses. Panorays then collects information about each asset; for example, the technologies that are in use. The data collection includes common methods such as technology fingerprinting and DNS record mining.
At the end of the assessment, Panorays has a considerable amount of data from company assets and mappings to external assets and technologies. Since Panorays has a large database of hundreds of thousands of companies, it can correlate the external assets to real companies and automatically detect many suppliers. Many times, these are suppliers that the organization itself is not even aware it is using.
While there is an obvious bias towards technology suppliers, Panorays has additional methods for identifying non-tech suppliers in the discovery process.
Panorays researchers collected data from 37,000 fourth parties, generated by over 2,000 third parties. We immediately saw that there are a handful of fourth parties (aka suppliers) that are connected to a very high percentage of third parties.
Over 84% of inspected third parties used Google as a fourth party. These include Google Cloud Platform for infrastructure, Google Maps app integration, Google Analytics and so on.
It is not surprising that Microsoft or Google have such a high reach; therefore, a significant security incident involving one of these companies could impact millions of organizations worldwide.
We removed these suppliers from our dataset to get a more precise view of the unique suppliers each company is using.
For each third party, we built a supplier portfolio and ran an assessment of each fourth party to generate its cyber posture rating. The fourth-party rating is a mean of the cyber posture rating of all the fourth parties. In addition, we assessed the cyber posture of the third parties themselves. For example:
|Third Party ID||Third Party Rating||Discovered Fourth Parties||Fourth Party Mean Rating||Third Party Level||Fourth Party 80+|
We checked the correlation between this cyber posture rating and the fourth-party rating.
We can see a clear correlation that third parties with a high cyber posture rating have a high fourth-party rating as well.
Seen in a different way, we grouped the cyber posture ratings into five levels to see the chances of receiving a good supplier rating, which would be above 80.
Here we see that third parties with a cyber posture rating of between 90 to 100 have a 63% chance that their fourth parties will have a cyber posture rating of at least 80.
On the whole, we see that as third parties’ cyber posture ratings increase, their chances of doing business with fourth parties that have good cyber postures increase as well.
In this research, we showed that third parties with a good cyber posture will have fourth parties with a good cyber posture.
There are a number of evident reasons for this, such as
Clearly, third-party security management is becoming an integral component of companies’ cyber posture, and the numbers in this research bear this out.
This is one more reason for managing third-party suppliers’ security state and working with vendors that have security awareness and controls in place.