Back to Spotlight


Businesses don’t operate in isolation and most businesses are concerned about third-party cybersecurity risks – cyber risks emerging from suppliers connected to a company’s systems. That is both unsurprising and reassuring. But only expressing concern doesn’t address the risks, and many businesses fail to implement adequate risk mitigation strategies.  

The term “third-party risk” itself may even be misleading. Because third-party suppliers have vendors of their own, and attackers may also use these “forth-party” suppliers as an initial attack vector.

This result is a complex nexus of companies with seemingly endless access points, any of which may serve as an attack vector to bring down the entire ecosystem.

Below is a summary of a survey conducted by Harvard Business Review Analytic Services that asked 200 executives about their view on third-party cyber risks.


Summary of the report:

  • 71% of business executives are moderately or very concerned about third-party suppliers exposing their organization to cybersecurity risk. 55% say their suppliers have access to customer data
  • But only 36% have a well-defined and tested plan to deal with risks from third-parties.
  • But what can businesses do to mitigate supply-chain risks?
  • They may decline to do business with a supplier based on its insufficient cybersecurity practices
  • They may also use a way of categorising suppliers. Traditionally, such categorisation is based on contract value. Highest-value suppliers may undergo an on-site audit. Tier-two suppliers may have to fill out documentation, and so on
  • But such system won’t work for cyber risks, because contract value doesn’t correlate with cyber risk the supplier may pose
  • The report offers four steps companies can take to address third-party cyber risk
    • Understand your suppliers
    • Choosing suppliers that prioritise security
    • Linking cybersecurity to service level agreements
    • Building deeper, mutual relationships


Why this matters for businesses and ISTARI

  • The report shows that third-party risks are becoming a concern of businesses
  • It also highlights a disconnect between executive concern and action: it shows that many executives worry about third-party cyber risks (71%), but only few seem to have adequate measures in place (31%)
  • The four steps companies can take to address third-party cyber risk are a good start, but more work is needed to address third-party risks adequately


Access the full PDF here