Businesses don’t operate in isolation and most businesses are concerned about third-party cybersecurity risks – cyber risks emerging from suppliers connected to a company’s systems. That is both unsurprising and reassuring. But only expressing concern doesn’t address the risks, and many businesses fail to implement adequate risk mitigation strategies.
The term “third-party risk” itself may even be misleading. Because third-party suppliers have vendors of their own, and attackers may also use these “forth-party” suppliers as an initial attack vector.
This result is a complex nexus of companies with seemingly endless access points, any of which may serve as an attack vector to bring down the entire ecosystem.
Below is a summary of a survey conducted by Harvard Business Review Analytic Services that asked 200 executives about their view on third-party cyber risks.
Summary of the report:
- 71% of business executives are moderately or very concerned about third-party suppliers exposing their organization to cybersecurity risk. 55% say their suppliers have access to customer data
- But only 36% have a well-defined and tested plan to deal with risks from third-parties.
- But what can businesses do to mitigate supply-chain risks?
- They may decline to do business with a supplier based on its insufficient cybersecurity practices
- They may also use a way of categorising suppliers. Traditionally, such categorisation is based on contract value. Highest-value suppliers may undergo an on-site audit. Tier-two suppliers may have to fill out documentation, and so on
- But such system won’t work for cyber risks, because contract value doesn’t correlate with cyber risk the supplier may pose
- The report offers four steps companies can take to address third-party cyber risk
- Understand your suppliers
- Choosing suppliers that prioritise security
- Linking cybersecurity to service level agreements
- Building deeper, mutual relationships
Why this matters for businesses and ISTARI
- The report shows that third-party risks are becoming a concern of businesses
- It also highlights a disconnect between executive concern and action: it shows that many executives worry about third-party cyber risks (71%), but only few seem to have adequate measures in place (31%)
- The four steps companies can take to address third-party cyber risk are a good start, but more work is needed to address third-party risks adequately