While organizations are facing threats from malicious actors and nation-state groups, they should also be concerned with the security risks that their vendors and service providers are introducing into their environment, according to new research from cybersecurity ratings company SecurityScorecard.
The New York-based company’s research with cybersecurity research firm Cyentia Institute found that 98% of organizations have vendor relationships with at least one-third party that has experienced a security breach in the last two years.
The study analyzed data from over 235,000 organizations across the globe and more than 73,000 vendors and products used directly by those organizations, and found that the more third parties organizations engage with, the more risk is introduced.
According to the study, Close Encounters of the Third (and Fourth) Party Kind, 50% of organizations have indirect relationships with at least 200 breached fourth-party vendors in the last two years.
For every third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth-party relationships, the research found. Additionally, third-party vendors are five times more likely to exhibit poor security compared to the original organization.
SecurityScorecard also found that about 10% of third-party vendors receive an F rating among organizations that earn an A rating for their own security posture.
According to the research, the information services sector has the highest average number of third-party relationships at 25, more than twice the number of overall third-party relationships. That could be due to that sector’s reliance on technology, the firm theorizes.
On the flipside, the finance sector averaged the lowest number of third-party relationships at 6.5. In between information services and finance were healthcare and insurance, which averaged 15.5 and 11 vendors, respectively.
SecurityScorecard says organizations should take these steps to address their third- and fourth-party risk:
- Identify which companies your organization works with and gain visibility into your organization’s vendor ecosystem.
- Determine the security posture of your organization’s vendors.
- Collaboration with vendors to improve your organization’s security posture.
- Monitor your vendors’ cyber risk.
The data demonstrates why managing cyber risk across the digital supply chain is critical as threat actors work to exploit third-party vendors, says Wade Baker, partner and co-founder at The Cyentia Institute.
“Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk,” Baker says. “By having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk.”
Leave a Reply