Third-Party Partners Put Organizations at High Risk for Cyberattacks
According to our 2020 Security Study, more than 82% organizations reported a security incident due to the poor security hygiene of a third-party partner. Learn the importance of considering partners in your cybersecurity planning and our recommendations on how to protect yourself.
Canadian organizations are workingwith a number of third-party partners and suppliers toprovide a wide range of services, from IT outsourcing to managing andadministering entire business processes. While these partners provide vitalservices, many organizations often overlook third-party partners in their cybersecurityplanning. On average, small organizations work with 13 third-partysuppliers or partners, while enterprise organizations work with 82 third-partysuppliers or partners. Though working with third parties is often a necessarypractice, these relationships are putting organizations of all sizes at risk ofserious data breaches.
According to our 2020 Security Study, more than four in five organizations (82%) reported a security incident due to the poor security hygiene of a third-party partner. In addition, less than 40 percent of organizations consider including relationships with third-party partners in their security planning. Enterprise organizations, who work with the largest number of third-party partners, were the worst offenders. Only 28 percent of the enterprise organizations have a cybersecurity plan that comprehensively includes all third-party partners and, even more concerning, seven percent of all organizations surveyed admit third-party partners were not considered in their cybersecurity planning at all. Nearly all organizations surveyed allow third-party partners to handle or access customer data and proprietary business information. Without basic visibility into the security of third-party partners, organizations are extremely vulnerable to serious and costly cyberattacks.
Proper review of third-party securitycan be incredibly challenging when working with many partners. To protectproprietary data while maintaining relationships with third party partners,organizations need to understand what data and systems third parties areaccessing and implement policies and controls to limit access. Third partiesshould only be given access to data and information that is relevant to theirtasks. To limit partner access, it's important to gain a holistic view of a third party's IT environments and security maturity. It maynot be possible to perform proper threat risk assessments on all the partnersan organization deals with, but something as simple as a periodic questionnaire can helpunderstand whether basic controls and policies are in place in partners'environments.
Organizations can also considerimplementing an identity access management process to ensure that vendors whorequire access to system and data can be authenticated and identified. Thisoffers better visibility into the network of partners and gives theorganization the power to revoke partner access to data when it is no longerrequired. Scheduling annual check-ins with suppliers and partners toensure their security policies are up to date can also help assess a partner'ssecurity measures. If a third-party does not prioritize the data security, itmay be time to consider other options or suppliers.
To learn more about what organizations can do to protect themselves against cyberattacks, check out our full 2020 Security Study here.