Businesses don’t operate in isolation. In fact, most businesses are concerned about third-party cybersecurity risks: cyber risks emerging from suppliers connected to a company’s systems. That is both unsurprising and reassuring. However only expressing concern doesn’t address the risks, and many businesses fail to implement adequate risk mitigation strategies.
The term “third-party risk” itself may even be misleading. Because third-party suppliers have vendors of their own, attackers may also use these “fourth-party” suppliers as an initial attack vector.
This result is a complex nexus of companies with seemingly endless access points, any of which may serve as an attack vector to bring down the entire ecosystem.
Below is a summary of a Harvard Business Review Analytic Services survey that asked 200 executives about their views on third-party cyber risks.
Summary of the report:
- 71% of business executives are moderately or very concerned about third-party suppliers exposing their organization to cybersecurity risk. 55% say their suppliers have access to customer data
- However, only 36% have a well-defined and tested plan to deal with risks from third parties.
- But what can businesses do to mitigate supply-chain risks?
- They may decline to do business with a supplier based on its insufficient cybersecurity practices.
- They may also use a way of categorising suppliers. Traditionally, such categorisation is based on contract value. Highest-value suppliers may undergo an on-site audit. Tier-two suppliers may have to fill out documentation, and so on.
- However such a system won’t work for cyber risks because contract value doesn’t correlate with the cyber risk the supplier may pose.
- The report offers four steps companies can take to address third-party cyber risk:
- Understand your suppliers
- Choosing suppliers that prioritise security
- Linking cybersecurity to service level agreements
- Building deeper, mutual relationships
Why this matters for businesses and ISTARI
- The report shows that third-party risks are becoming a concern for businesses.
- It also highlights a disconnect between executive concern and action: it shows that many executives worry about third-party cyber risks (71%), but only a few seem to have adequate measures in place (31%)
- The four steps companies can take to address third-party cyber risks are a good start, but more work is needed to address third-party risks adequately.
