There is a severe underreporting of cyberattacks launched against a company through its vendors and suppliers. Only 34% of companies are confident that their suppliers would notify them of a breach in their sensitive information, according to new research from the Ponemon Institute and Mastercard’s RiskRecon.
Payroll, software development, and data processing are just some of the essential services that businesses rely on from their third-party vendors. However, without proper security measures in place, businesses may be vulnerable to a data breach by one of their vendors, suppliers, contractors, or business partners.
Only 34% of organisations have faith that their vendors would notify them of a data breach involving their sensitive information, according to new research by Ponemon Institute and Mastercard’s RiskRecon, suggesting that third-party data breaches may be underreported.
Given that 59% of respondents say their organisations have experienced a data breach caused by one of their third parties, and 54% say it happened within the past 12 months, it is easy to see why weak third-party security controls continue to be a chink in the armour for enterprises.
Moreover, the problem propagates further down the supply chain, with 38% of businesses attributing the breach to a “Nth party,” highlighting the inadequacies in the security controls implemented by third parties for their vendors and partners. Therefore, only 21% of businesses have faith that their Nth party would report a breach to them.
Despite the fact that there are a number of recommended practises that businesses can use to lessen their exposure to cyber threats posed by third parties, the available data suggests that more investigation is required. Among these are keeping track of all third parties and regularly assessing the effectiveness of their security and privacy measures. However, only 36% of companies do this before entering a relationship, and only 43% of those companies routinely review their controls.
A lack of accountability and involvement by boards of directors are the primary reasons why organisations do not follow such best practises. While 35% of businesses say that third-party cyber-risk is not a board-level priority, only 18% say that the CISO is responsible.
According to the Ponemon Institute’s RiskRecon 2022: Data Risk in the Third-Party Ecosystem study, between May 2 and June 30, 2022, the organisation polled 1,162 IT and IT security experts in North America and Western Europe.