Third Party Risk Trends: Why Companies Aren’t Keeping Up with Data Security
Companies know that third-party data security risk is a problem, but the majority haven’t been able to keep up with rising threats. According to recent research from Opus and the Ponemon Institute, 59% of companies have experienced a third-party data breach. In the U.S. alone, 61% of companies have — up 5% from last year, and 12% from 2016.
Data breaches at Target, British Airways, Uber and Facebook certainly ring bells. More recently, names like HSBC and Nordstrom have been making headlines. Why do data breaches caused by third parties continue to occur so often, and how can companies prevent them — or at least reduce their likelihood?
Opus recently partnered with well-known data security and privacy thinktank Ponemon Institute to survey 1000+ risk and security professionals in the U.S. and U.K. to evaluate how prepared companies are to manage the data risks involved with outsourcing. The results of the third annual Ponemon Study on third-party data risks provide a window into the challenges of protecting sensitive information shared with third and Nth parties. Here, we look at the key takeaways.
5 Key Risk Management and Third-Party Risk Trends
The third-party risk landscape continues to change significantly. Awareness around third-party data risk is growing, but there’s still work to be done.
1. 76% of companies say cybersecurity incidents involving vendors are increasing
Third parties are often the weakest link in an organization’s security, and represent one of their largest risks. A third-party data breach can devastate a company, no matter how strong their internal security is. More than one third of companies have experienced a security incident involving a vendor, showing just how significant the problem is.
Despite the evident need for third-party risk management (TPRM), only 46% of companies prioritize managing the risks of outsourced relationships. The stat is puzzling until you consider that only 39% of companies regularly report to their board of directors about the effectiveness of their TPRM program. Including senior leadership is a sure way to raise awareness about the potential risk to an organization and gain buy-in for TPRM.
2. Data breaches caused by third parties often go undetected
Worryingly, many companies are unaware of when their sensitive data has been breached. 22% of companies are unable to determine if they have experienced a third-party data breach. For Nth parties, the number rises to 42%.
A large part of the problem is that only 29% of companies say a third party would contact them about a breach. One solution is to include provisions in third-party contracts that require vendors to report breaches as well as when and with whom they share sensitive information.
3. Lack of visibility into third parties leaves sensitive data exposed
On average, companies work with more than 500 third parties and must assess and monitor the data security practices of each. Yet only 34% of companies have a comprehensive inventory of all their third parties.
It’s impossible to keep data secure if you don’t know who has access. Accountability for third party risk management (TPRM) is typically spread across an organization, making it difficult for companies to maintain a database. 69% of companies don’t have a comprehensive inventory because there is no centralized ownership or control over third-party relationships.
4. Most third-party security and privacy practices are never evaluated
57% of companies don’t know if their vendor safeguards are sufficient to prevent a breach. Performing due diligence on third parties is sorely needed to lower risk. 54% of companies don’t evaluate the security and privacy practices of third parties before engaging them and 60% do not require third parties to fill out questionnaires or conduct assessments. Companies will never know if their data is at risk if they don’t ask.
Assessing third-party risk, including third-party data risk, starts at onboarding, but it doesn’t stop there. The threat landscape is constantly evolving, and companies that make sure third-party security practices are adapting to emerging threats are less likely to experience a data breach caused by third parties. However, 54% of respondents said their companies do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information.
5. Third-party risk management programs are under resourced
Each of the third-party risk trends outlined above tie back into this one: Only 37% of companies say they have sufficient resources to manage third-party relationships. Without people, budget and technology, keeping track of all the moving pieces of TPRM is daunting. Resourcing TPRM is without a doubt worth the investment. 60% of organizations that have not experienced a third-party data breach believe their organization allocates sufficient resources to third party management.
Taking Steps Toward Stronger Risk Management
Despite the risk, outsourcing is necessary for doing business in the modern world. Third parties provide essential services and bring in significant revenue. Some companies are managing to navigate the tricky third-party landscape and reduce their likelihood of a data breach. Those organizations approach third-party risk management differently, incorporating five core practices into their risk programs.
- Evaluating the security and privacy practices of third parties
- Inventorying all third parties with whom you share information
- Frequently reviewing third-party management policies and programs
- Requiring third-party notifications when data is shared with Nth parties
- Gaining oversight by the board of directors
The Ponemon Study findings make it clear that there’s still work to be done in the area of third-party risk management. But most importantly, the report presents companies with an opportunity, the motivation and the practical guidance to strengthen their TPRM programs.
As always, our team is here to answer any questions. Get in touch with us to learn how you confidently manage your outsourced relationships.