A new survey points to widespread uncertainty around IT security risks as companies turn to outsourced offerings as a means of building up their value propositions – a trend that has gained momentum amid Covid-19 and labor shortages. The report says that expansion has broadened attack surfaces as threat actors target weaker vendors with strong market penetration to quietly surveil and paralyze systems.
According to a recent survey from CRA Business Intelligence, the research and content arm of cybersecurity information services company CyberRisk Alliance, 60% of respondents experienced an IT security incident in the past two years due to a third-party partner with access privileges and were most likely to have sensitive data stolen or suffered some type of business outage. While 52% of those who experienced third-party related attacks indicated they less lost less than $100,000 in damages, another 45% incurred higher costs, with a few paying $1 million or more. More than 70% believed that tracking components, sub-assemblies, and final products are very or critically important. But respondents lamented that such visibility is severely limited.
More than three out of four (76%) IT leaders and influencers rated managing third- party risk as a high or critical priority at their organizations—for most respondents (74%) this priority has increased in importance since 2020, when the pandemic created major micro and macro business disruptions, including supply and workforce shortages.
“Having started my compliance career in third-party vendor management in 2003, I’m still surprised at the lack of visibility into the risk that third-party suppliers pose to organizations,” said Matt Alderman, EVP of CyberRisk Alliance’s Business Intelligence Unit. “This research confirms that third-party risk is a critical component of your overall risk management program, especially considering recent attacks. With increasing damages and outages, it’s time for organizations to manage the risk of their third-party suppliers.”
The survey was conducted in late fall 2021 among more than 300 IT and cybersecurity decision-makers and influencers who use third parties.
Companies have little visibility into the security of the third parties they use, and partners may be in a prime position to mitigate those risks.