Third-party cyber risk management practices are ‘important but ineffective’
- Published: Thursday, 28 March 2019 08:56
CyberGRX has announced the results of its inaugural ‘Cost of Third-Party Cybersecurity Risk Management’ study carried out by Ponemon Institute. Surveying over 600 IT security professionals, the study illustrates a persistent theme that organizations and third parties see their third-party cyber risk management (TPCRM) practices as important but ineffective. The survey respondents come from a variety of industries and are all directly involved in managing their organizations’ TPCRM programs.
The report identifies four major takeaways for key decision makers:
- Current practices and technologies used to support TPCRM and assess third parties are costly, inadequate and inefficient.
- Investing in better assessment and vetting tools can increase effectiveness in TPCRM while decreasing the cost of maintaining the program.
- Applying the same approach to all third parties can be quite costly. Taking the time to prioritize third parties and apply an appropriate level of due diligence to them will reduce costs and increase efficiencies in the long run.
- Control over budgets for TPCRM is dispersed throughout the organization which can make the allocation of resources inefficient because of competing interests.
Over 53 percent of respondents experienced a third-party data breach in the past two years, yet surprisingly, the market has yet to adopt new approaches to manage third party cyber risk. For instance, over 80 percent of respondents agreed that vetting and assessing third parties is critical, however 60 percent remain disheartened that their current vetting processes aren’t working. Even when an assessment uncovers a third-party security gap, organizations do not proactively mitigate these risks. Only 24 percent confirm that their organizations collaborate with third parties to improve their security measures. And even still, organizations will request — not require — that third parties mitigate identified security gaps.
One of the most striking takeaways is the disparity in time spent by third parties on assessments and lack of perceived value and action taken by the receiving organizations. By and large, organizations still primarily use manual procedures such as spreadsheets (40 percent) and/or risk scanning tools (51 percent) to assess their third parties. 54 percent of these organizations, however, feel the results of these assessments provide at best, only somewhat valuable information. Meanwhile, third parties are spending, on average, 15,000 hours a year completing manual spreadsheets in order to maintain relationships with their customers, even though their customers only take action on 8 percent of those assessments. The results of this study illustrate that organizations and their third parties are wasting critical human and financial resources on programs that aren’t optimized to help them reduce cyber risk in their shared ecosystems.