Third-Party Cyber Risk: 6 Facts Every CISO Should Know
If your organization is like most, then it works with third-party suppliers. Yet not everyone fully comprehends the cyber risk that comes along with doing so, and how serious the problem has become in 2020.
A combination of supply chain complexity, increased cloud storage, new data privacy regulations, remote work and rising cyberattacks have created the perfect storm for third-party cyber risk—and the numbers bear this out.
Still need to be convinced about why third-party security management is so crucial to businesses? Here are 6 recent revealing facts to consider:
1. The number of third parties is increasing.
According to a recent Gartner report, the median organization contracts with 5,000 third parties. In addition, 72% of compliance leaders expect that number to increase by 2022.
The ramifications of these numbers are consequential because working with third parties increases an organization’s attack surface, which leaves it more vulnerable to cyberattacks through third parties. Bottom line? The more third parties you work with, the greater the cyber risk.
2. COVID-19 has resulted in increased cyberattacks.
Cyberattacks have increased significantly in the wake of coronavirus. According to Zscaler, in March alone, there was a 30,000% increase in COVID-19 related attacks and malware.
Many of these attacks exploited the “new normal” of businesses working from home, with far less security in place than at the office. In fact, 51% of companies experienced more phishing attacks due to employees working remotely (Barracuda).
Small supply chain partners have been particularly vulnerable to such attacks, because they often lack the necessary security know-how and human resources.
3. Third-party vulnerabilities are being exploited.
According to a recent Gartner report, the majority of data breaches and cyberattacks exploit third-party cyber gaps. The report found that in 2019, 44% of companies experienced a significant data breach through a third-party vendor. (Source: “Procurement on the Front Lines: New Trends in Data Privacy and Cybersecurity Risks,” May 26, 2020.)
Similarly, Deloitte reported that 83% of organizations experienced a third-party incident in the past three years, with 11% causing a severe impact on customer service, financial position, reputation or regulatory compliance.
These statistics illustrate why it’s so important to have a comprehensive third-party security management process in place that pinpoints cyber gaps and helps close them.
4. All types of organizations are vulnerable to third-party cyberattacks.
You might think that financial institutions are, by definition, the most secure and hence the least likely to suffer a cyberattack. However, according to Carbon Black, 33% of surveyed financial institutions said they’ve encountered island hopping, an attack where supply chains and partners are commandeered to target the primary financial institution.
This is only one example. Organizations of all sizes and from all industries are susceptible to third-party cyberattacks.
5. Third-party cyber incidents are more expensive and frequent.
Your organization has a lot to lose from a data breach—and it’s not just customer trust. According to the aforementioned Gartner report, having a third party involved in cyber incidents has the effect of making them both more expensive and more frequent. In fact, the report concluded that a data breach is $700,000 more expensive when a third party is involved.
6. Data privacy regulations are increasing and are being enforced.
One Gartner report recently pointed out that the last 12 months have seen more changes in privacy than the entire century before it. With regulations like GDPR, CCPA, the New York Shield Act and many more, organizations are struggling to keep up and to make sure that their third parties comply as well.
These regulations are being enforced, and the penalties can be substantial. According to Help Net Security, 340 GDPR fines have been issued totaling over £150 million since May 2018—and that’s just one regulation.
What can be done?
Clearly, it’s important to have a thorough and scalable third-party security management program in place like Panorays, which considers the entire lifecycle of vendor management.
To address the issues above, Panorays provides the following:
- Asset discovery, so organizations can be aware of all of the third and fourth parties with which they do business.
- A work from home questionnaire, which assesses the security of third parties that are working remotely.
- A comprehensive 360-degree cyber risk rating that uncovers vulnerabilities through a combination of responses from a security questionnaire, an assessment of the vendor’s attack surface and business impact.
- Continuous monitoring of the vendor’s attack surface, with live updates about any cyber issues.
- Checking for compliance to regulations such as GDPR, CCPA and NYDFS.
Want to learn more about how Panorays can reduce your third-party cyber risk? Schedule a demo today.