Third Party Risks Worsen
September 28, 2017
study uncovers the security risk companies face when sharing
sensitive information with third parties. Cyberattacks – like
the recent Equifax data breach – are becoming more and more
common. One of the leading risks companies face when defending
against cyberattacks are those brought on by their third-party
ecosystem. In fact, fifty-six percent of companies surveyed by
Ponemon experienced a data breach caused by a third party, a
seven percent increase from 2016. The survey also found that 42
percent of companies experienced cyberattacks against third
parties that resulted in the misuse of their company's sensitive
or confidential information, an 8 percent increase from 2016.
Three-quarters of organizations said they believed the total
number of cyber security incidents involving third parties are
The survey found that the effectiveness in managing third party
risks remained low. Fewer than one in five companies – 17
percent – felt their organizations effectively managed third
party risk. And less than half of all respondents said that
managing outsourced relationship risks is a priority in their
One of the key deficiencies identified in the study was that
companies lacked visibility into their third-party
relationships. Although the number of third parties with access
to confidential or sensitive information has increased by 25
percent, compared with 2016, more than half of the companies do
not keep a comprehensive inventory of all third parties with
whom they share sensitive information. And, only 18 percent of
respondents know how Nth parties access and process data.
Dov Goldman, VP, Innovation & Alliances of Opus, said,
"Cyber-criminals continue to target weak links because companies
are failing to successful manage risk. Smart companies are
learning from those that have implemented clearly defined
third-party risk management programs supported by good
governance and robust technology."
The study identified a strong correlation between implementing
certain governance and IT security practices and a reduction in
third-party data breaches. These practices include:
Evaluating security and privacy practices of all third parties.
Supplement contractual agreements with audits and assessments.
Organizations that adopted these practices were 20 percent less
likely to experience a breach.
Creating an inventory of all third parties with whom information
is shared. Organizations should prioritize visibility into third
party data – and learn whether they share this data with others.
Organizations with a comprehensive inventory were 19 percent
less likely to experience a breach.
Oversight by board of directors in third-party risk management
programs. This includes regular reports on the effectiveness of
these programs based on the assessment, management and
monitoring of third-party. Organizations whose board of
directors requires assurances that third-party risks are
effectively being managed were 10 percent less likely to
experience a breach.
Analyzing Third Party Risk
second annual Data Risk in the Third-Party Ecosystem Study
included 625 individuals across multiple industries familiar
with their organization's approach to managing data risks
created through outsourcing. All organizations represented in
this study have a vendor data risk management program. Companies
were asked to consider only those outsourcing relationships that
require the sharing of sensitive or confidential information or
involve processes or activities that require providing access to
sensitive or confidential information.
Dr. Larry Ponemon commented, "Data breaches and cyberattacks
continue to plague organizations who are often unaware that the
source of their information security risks can result from
sensitive data obtained by a third or Nth party. It is critical
for organizations to actively manage their third-party
interactions by implementing standard processes, including
inventory and policy review and documentation, senior leadership
and board member oversight, as well as other safeguards to
reduce their vulnerability."