Third-party cyber risks are a ‘glaring blind spot’ finds PwC survey
- Published: Thursday, 14 October 2021 07:33
A majority of companies don’t have a handle on their third-party cyber risks – risks obscured by the complexity of their business relationships and vendor/supplier networks. This is a key finding of the PwC 2022 Global Digital Trust Insights Survey. The survey of 3,600 CEOs and other C-suite executives around the world found that 60 percent have less than a thorough understanding of the risk of data breaches through third parties, while 20 percent have little or no understanding at all of these risks.
PwC says that these findings are a red flag in an environment where 60 percent of the C-suite respondents anticipate an increase in cyber crime in 2022. They also reflect the challenges that organizations face in building trust in their data - making sure it is accurate, verified and secure, so customers and other stakeholders can trust that their information will be protected.
Notably, 56 percent of respondents say their organizations expect a rise in breaches via their software supply chain, yet only 34 percent have formally assessed their enterprise’s exposure to this risk. Similarly, 58 percent expect a jump in attacks on their cloud services, but only 37 percent profess to have an understanding of cloud risks based on formal assessments.
Asked how their companies are minimizing third-party risks, the most common answers were auditing or verifying their suppliers’ compliance (46 percent), sharing information with third parties or helping them in some other way to improve their cyber stance (42 percent), and addressing cost- or time-related challenges to cyber resilience (40 percent). But a majority have not refined their third-party criteria (58 percent), not rewritten contracts (60 percent), nor increased the rigor of their due diligence (62 percent) to identify third-party threats.
Other key findings include:
- Nearly three quarters of respondents said the complexity of their organization poses ‘concerning’ cyber and privacy risks. Data governance and data infrastructure (77 percent each) ranked highest among areas of unnecessary and avoidable complexity. Simplification is a challenge, but there is ample evidence that it is worthwhile. While three in 10 respondents overall said their organizations had streamlined operations over the past two years, the ‘most improved’ in the survey (the top 10 percent in cyber outcomes) were five times more likely to have streamlined operations enterprise-wide. These top 10 percent organizations are also 10 times more likely to have implemented formal data trust practices and 11 times more likely to have a high level of understanding of third party cyber and privacy risks.
- Executive and CEO respondents differ on how much the support the CEO provides on cyber, with CEOs seeing themselves as more involved in, and supportive of, setting and achieving cyber goals than their teams do. But there is no disagreement that proactive CEO engagement in setting and achieving cyber goals makes a difference. Executives in the ‘most improved’ group, reporting the most progress in cyber security outcomes, were 12x more likely to have broad and deep support on cyber from their CEOs. Most executives also believe that educating CEOs and boards so they can better fulfill their cyber responsibilities is the most important act for realizing a more secure digital society by 2030.