Prevalent's 2023 Third Party Risk Management Study

Editor's Note: This article was originally published on thecyberwire.com.

Yesterday Prevalent released its 2023 Third Party Risk Management Study which detailed the effects of third party data breaches and security concerns. It also highlighted the manual methods that nearly half of the companies questioned used to detect third party risks. The respondents of the study were directly involved in their organizations third party risk management and worked for various industries.

Risk from third party vendors has affected 41% of companies polled.

41% of the respondents indicated that their organization had been affected by third party data breaches in the last 12 months. Prevalent writes “When there was a tangible impact to the organization, it primarily resulted in costs to remediate or recover from the breach or incident more so than losing customers, revenue or reputation.” Prevalent reports that “unfortunately” 54% of the respondents said that their organizations still use manual spreadsheets and news feeds as detection methods for breaches. Prevalent adds that the number of companies not monitoring for third party breaches has decreased from 12% to 4%. When asked if the companies would give up their manual methods of detecting breaches, responders showed that nearly half of the companies would not give up on manually tracking third party risk. Prevalent asserts that manual methods are not effective as “a growing percentage of companies responded “Unsure” when asked if their current method of assessing risks throughout the lifecycle, assessing multiple risk types, reporting and incident response was working.” Prevalent asserts that the use of manual methods (specifically spreadsheets) for risk assessment and management are slow and unwieldy in an ever evolving threat environment.

Third party risk is a driving force in InfoSec involvement in companies.

The second finding of the study was that 62% of the respondents indicated that Third party breaches and security incidents were important driving factors in increasing involvement in third party risk management by various components of the companies. 70% of the polled members said that InfoSec is more involved, 34% said business owners were more involved (with 57% saying they have the same involvement), and 33% said executives were more involved. Prevalent writes “We believe Infosec’s increased involvement and ownership signals greater adoption of third-party risk management as a standard security practice in organizations, perhaps advancing it toward the ranks of traditional security cornerstones like patch management and perimeter security.”

20% of companies polled said they are not tracking or remediating third party risk.

20% of companies in the survey don’t seem to be tracking or remediating risks at all. Prevalent writes, “the disparity between tracking risks and actually doing something about those risks (i.e., remediating them) that is the big surprise here. The significant gap between tracking and remediating risks in the Initial Assessment and Sourcing & Pre-Contract Due Diligence stages is especially surprising, as these are the primary stages to discover and remediate risks before they impact the organization!.. Not surprisingly, the Offboarding and Termination stage of the third-party relationship lifecycle sees the lowest percentage of companies tracking (47%) and remediating (38%) risks, and the highest percentage of companies doing nothing at all (39%).”

Recommendations to assist in evaluating third party vendor risk.

Prevalent recommends that companies use a single process or system to manage their third party risk management instead of multiple teams and software assessing different things. It writes “ A better approach is to unify all internal teams with a single set of workflows, third-party risk profiles, assessments, and reporting. At a minimum, a solution should include the following capabilities to harmonize processes across enterprise teams.” This would allow a company to streamline decision making by centralizing the critical information that they are tracking. They also suggest automating risk assessments and including a questionnaire selection with scored responses as this could assist in triaging critical threats and solving higher threat problems first. An important recommendation Prevalent suggests is to “Include prescriptive remediation guidance to quickly mitigate risks before they impact your organization.” By having a plan in place to take care of risks a company can drastically reduce its response time to a critical event and take measures to prevent the risk to begin with. All companies that are open to third party risks should have plans in place to mitigate increasingly probable incidents that could affect them in the future.