The numbers: How third-party risk is actually affecting you
One of the greatest parts about my job is being able to get a global perspective on the state of infosec.
I’ve the opportunity to talk to amazingly talented people, get their opinions on important trends, and hear their real-world experiences.
Vendict is, at the end of the day, a platform dealing with third-party risk. TPRM is what we’re trying to deliver to customers, and it’s the risk we’re ultimately trying to mitigate.
Unfortunately, the risk associated with third parties has really gotten out of control.
Day after day, we see in the headlines that even big companies that have the resources to address this problem are falling victim to third-party hacks.
One of the symptoms of this situation is that it’s really hard to get a quantifiable picture of how TPRM is affecting organizations.
So at Vendict, we decided to do a deep dive.
To unpack what we discovered, we divided the data into three categories:
- The actual risk of third-party hacks in the cybersphere as a whole
- The operational burden that organizations have to deal with in addressing TPRM
- The reputation factor that TPRM brings to the table
Let’s jump in:
Actual risk
You don’t have to rely on anecdotes.
The best data we have confirms that third-party hacks are on the rise, and have been for a while.
The first thing to consider is that these hacks constitute a larger portion of all security breaches. In fact, they’re now the most common vulnerability behind all data incidents. Experts estimate that today, about 60 percent of all data breaches today occur via third-party vendors.
The second factor to keep in mind is the damage being inflicted by these hacks. In research put out by the Ponemon Institute, the researchers found that the average cost of a data breach caused by a third party has increased from $370,000 to $4.29 million in just three years.
So yes, third-party hacks are much more common today than they were just a few years ago, and they also have much greater impact.
The last point in terms of quantifying the general threat of third-party hacks is that not all industries share the same level of risk. For example, the healthcare industry is being hit much harder than other sectors. In 2021, 33% of all attacks involving third parties targeted hospitals and other healthcare organizations. That’s really quite remarkable when you think about it.
The discrepancy in risk levels is hugely important for GRC managers and CISOs who are trying to develop frameworks for their respective organizations.
Operational burden
Beyond the actual risk of third-party attacks, there is the burden that businesses must bear in addressing that risk.
And here’s where the problem gets bad.
You see, TPRM is actually a complicated thing, and it’s only getting more complicated as more and more IT services are being outsourced and the digital supply chain becomes more nebulous. This means staying on top of third-party risks requires a lot of work—more work than many companies are able to put in.
Today, over 50% of companies across all industries say that managing third-party security is too overwhelming and stressful. Surveys across industries show that more than half of companies say about themselves that they do not thoroughly review each third-party’s security and privacy procedures before integrating them into their network. By the same token, 65% of firms report they have not even identified all their third parties that have access to their most sensitive data, and 54% of organizations do not have a complete list of the third parties that can access their network.
With the burden of TPRM increasing rapidly, it’s no wonder that 48% of organizations already deem third-party relationship complexity as their main problem from a business flow perspective.
Reputational burden
I know we are painting a pretty bleak picture here. But stay tuned, because there is a silver lining.
The last factor we considered in exploring TPRM is the reputational factor, which is to say, how third-party risk affects a company’s ability to close deals.
There’s more awareness of third-party hacks today than ever before. Surveys of IT executives revealed that the vast majority (over 79%) have experienced a third-party hack on their watch in recent years. This trend led Gartner to predict that nearly half of all organizations in the world will have experienced a third-party hack by 2025. What this means is that security teams and their bosses are being more selective about services that have a higher prevalence of third-party incidents.
Here as well, industry-to-industry differences matter. For instance, third-party security breaches are much more common among software publishers than in other service providers. A recent report by security firm Black Kite shows that software publishers are involved in 23% of all third-party incidents. 2022 was the third consecutive year that software publishers were the most common industry connected to third-party breaches.
An opportunity in disguise
So here’s the good news I promised.
You don’t have to approach these numbers with a fatalistic outlook. On the contrary, the state of TPRM today offers companies a huge opportunity to grab the third-party challenge by the horns.
At Vendict, we like to say: “We’re not here to solve compliance problems. We’re here to turn compliance into an asset.”
That’s exactly what can be done with regard to TPRM.
Companies that take responsibility, and go out of their way to show their client base that they take third-party risks seriously, automatically give themselves a huge competitive edge.
This, in my humble opinion, is the real takeaway from the current state of third-party risk management: The chance to turn risk into an added value for the business is right in front of us.
We, at Vendict, will harness the power of linguistic-generative AI to help with security and privacy compliance and risk management.