As organizations continue to outsource, form partnerships and share data with a growing number of third parties, they become vulnerable to security risks that lie beyond their internal networks. Indeed, high profile breaches over the past year show that network vulnerabilities of seemingly low-risk vendors may lead to data breaches at large corporations. Surprisingly, although IT decision makers have significant interest in tracking third-party security, only a few organizations do so with necessary frequency, according to the findings of a new survey.
The study, “Continuous Third-Party Security Monitoring Powers Business Objectives and Vendor Accountability,” is based on surveys of IT security and risk-management decision makers in the U.S., U.K., France and Germany. Conducted by Forrester Consulting on behalf of BitSight Technologies, the study’s findings show that third-party security is a top business concern for executives. However, while there is a growing realization of the need to monitor third-party security, there also is a significant disconnect in resources available to adequately and objectively manage, according to the report.
“Across the nine types of third-party information we surveyed IT security decision-makers about, an average of 59 percent of the respondents indicated a desire to track and monitor,” according to the Forrester authors. “Yet across those same nine information types, an average of only 22 percent of the companies track with monthly or greater frequency.”
For instance, Forrester researchers found that when it comes to tracking third-party risk, critical data loss or exposure (cited by 63 percent of the respondents) and the threat of cyber-attacks (cited by 62 percent of the respondents) ranked as the top concerns. Interestingly, those concerns seem more pressing to IT decision makers than standard business issues, including whether the supplier could deliver the quality and timely service as contracted (cited by 55 percent of the respondents). On the other hand, despite the need for more robust insight into third-party security practices, only 37 percent of the survey respondents reported tracking any of these metrics on a monthly basis, the report notes.
Another key finding is that most of the respondents believe that continuous third-party monitoring would lead to a major improvement in their security effectiveness in key areas, such as event identification time (cited by 76 percent of respondents), event remediation time (72 percent of responses) and response times to high-profile events (71 percent of responses). I was also interested to see that 63 percent of the respondents believe continuous third-party monitoring would improve their ability to screen vendors based on potential risk.
“The supply chain has become a cyber-security minefield for companies, as we’ve seen with breaches caused by third-party vendors at Target, Neiman Marcus, Goodwill, Home Depot and many more,” says Stephen Boyer, CTO and co-founder of BitSight Technologies. “Continuous, data-driven monitoring of third-party security vulnerabilities and threats has become essential for effective vendor risk management.”
I’d like to know your thoughts on potential risk from third-party partners, vendors and suppliers. Is your company like many of those surveyed for the report in that although there is interest in tracking third-party security, it isn’t done frequently?