New Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

Firms 'Not Taking Data Threats Seriously Enough'

A recent assessment of the approach being taken by businesses to manage external threats to cybersecurity was a tale of two paths – the right one to take, and the one most are currently on.
May 05, 2022
Logo cybernews

Editor's Note: This article was originally published on www.cybernews.com.

Prevalent released its report today into third-party risk management – defined as how organizations defend against possible threats to internal data from supply-chain and other outside parties they do business with that might have privileged access.

“This year’s study shows that third-party risk management is at a crossroads, demonstrating that companies have a choice of two paths to take – the existing path and the better path,” said Prevalent.

As an example of this, it praised the fact that organizations appear to be taking a more strategic approach to containing potential threats from outside parties, but said that more still needed to be done.

“Organizations should work to eliminate stubborn manual methods for assessing third parties that make audits more complex and time consuming,” it said, adding that 45% of firms still use spreadsheets, resulting in a third needing a month or more to produce sound audits of firms they do business with.

Prevalent also pointed to the “disparate toolset” used by just under half of businesses to combat external threats, calling for these to be unified “to reduce the time to detect and respond to third-party incidents.” In the past year, a similar proportion had suffered supply-chain disruption or a security breach of some kind.

Too little, too late?

Moreover, it had taken catastrophic cyber incidents, such as last year’s Log4J attacks and Toyota’s supply-chain breakdown after an apparent cyberattack in March, to spur businesses to take cybersecurity strategy more seriously – and despite this shift, many still remained remarkably unconcerned about external risks to their data. One in eight organizations said they did not monitor for third-party breaches, and one in twelve admitted to having no incident response program in place.

As a result of this laxity, such organizations took an average of two-and-a-half weeks to respond to breaches that did occur, “a lifetime for an organization to be vulnerable to a potential exploit,” according to the report, which added: “Good luck when the next SolarWinds hits.”

Poor cybersecurity when dealing with third-party vendors was also found to have contributed to the problem, with seven in ten businesses suffering an outright breach or related incident as a result of slacking off in this area.

This was thought to be partly due to businesses not following through on risk assessment when dealing with partner firms: whereas three-quarters tracked these at the outset of doing business, this dropped to 61-68% after contracts were signed, slumping to just 43% during termination of an arrangement.

This suggests that a threat actor willing to bide their time could wait for the right moment to strike, and illustrates a lack of ongoing diligence among many businesses.

“The percentage of customers tracking risks declines as the relationship lifecycle matures, indicating that companies are focused more on risks at the earliest stages, less so as the relationship continues,” said Prevalent.

In light of the report’s findings, Prevalent is urging organizations to centrally manage vendors they do business with on a single platform, keep tabs on suppliers’ use of technology, and consolidate track records of cybersecurity and other related areas of risk to allow for more integrated assessments of third parties.