During the SolarWinds breach, while IT security teams scrambled to determine and limit their own exposure, there were additional detrimental downstream impacts since the attackers also accessed users’ customer data. Thus, organizations — from small businesses to huge government agencies — were reminded of how vulnerable they are to cyberattacks through service providers and software with privileged access.
Respondents from CyberRisk Alliance Business Intelligence’s November 2022 Third-Party Risk Survey believe third parties are increasingly the cause of IT security incidents, while some think they have been the primary source of attacks in the past two years. As a result, organizations are now emphasizing third-party risk, and many are devoting more attention to risk management in this area. Respondents said their increased dependency on vendors and other partners such as manufacturers, suppliers, and sub-contractors, as well as increasingly complex supply chains, lack of visibility into third and fourth-party partners (i.e., their vendors’ partners), and the vast scope of data accessible to them, have vastly increased their exposure to attacks.
This trend, combined with a greater global presence, use of more diversified applications, programs, and cloud solutions, and the complexity and persistence of supply chain threats and threat actors are the catalysts for recognizing and addressing the risk exposure and potential liabilities from attacks and breaches originating from third parties.
Learn how respondents view increasing supply chain complexity, murky visibility across the supply chain, and the TPRM roadblocks putting organizations at risk — and download your free copy of the CyberRisk Alliance Business Intelligence report, sponsored by AuditBoard, Third-Party Risk: More Third Parties + Limited Supply-Chain Visibility = Big Risks for Organizations.
Most respondents said they are increasingly working with more third-party products and services and have substantially increased their reliance on third-party partners. The overall average estimated number of third-party partners (including software vendors, IT service providers, business partners, brokers, subcontractors, contract manufacturers, distributors, agents, and resellers) among all respondents is 88. This estimate varies with organization size: the smallest organizations are partnered with an average of about 16 third parties, while large enterprises have roughly 173 third-party partners.
Overall, nearly 8 out of 10 respondents (78%) reported some level of complexity in their supply chain. Of those, 26% categorized them as “very” or “extremely” complex. Unsurprisingly, the complexity of an organization’s supply chain is associated with organization size in which the largest organizations (those with 10,000 or more employees) are much more likely to have the most complex supply chains: more than half of respondents (52%) in this segment indicated their supply chains are very or extremely complex.
Murky Visibility Across the Supply Chain for Most
As supply chains grow and become more complex, supply chain visibility, or the ability to track all tiers of the supply chain, becomes increasingly important. Among all respondents surveyed, visibility varied and was highly influenced by the complexity of their organizations’ supply chains. The largest proportion of respondents (36%) reported they have visibility into only their tier one suppliers. Another 22% said they have visibility into their tier-two suppliers; these organizations are more likely to be larger organizations with highly complex supply chains. Only 11% said they have visibility across all tiers, regardless of their supply chain complexity. Another 12% said they have no visibility at all; these organizations are most likely to be the smallest organizations with the least complex supply chains.
“The third-party ecosystem has become complex, and the opensource software system has been attacked and is an easy target. Without having clear visibility into the remediation process, it poses a big risk.”
Roadblocks in Staffing, Budgets, Processes, and Technology Put Prganizations at Higher Risk
In weathering the third-party risk storm over the next 12 months, respondents said they face a multitude of challenges as the number of third-party vendors increases and their supply chains become more complex. Many indicated they are likely to struggle with the inability to find staff who are sufficiently trained in auditing and managing third-party resources. Budget constraints also continue to persist as does the lack of buy-in from executive management in recognizing and proactively managing third-party risks. Respondents believe they will also continue to struggle with identifying third-party risks, creating internal policies, and ensuring that third parties are vetted and adhere to compliance requirements (e.g., ISO compliance, HIPPA, and PCI) wherever necessary.
Respondents noted that, in order to overcome some of their third-party challenges, they will need to address the limited visibility into their supply chains, identify critical vendors by risk tier, and establish a process for vetting and periodic reviewing of their third-party partners. They said they will also need better governance, stronger contracts, and more accountability on both sides.
“The unknown risks that have not yet been encountered are the top challenges in managing third-party risk in the next 12 months.”
Without adequate human resources, adequate funding, “tone at the top” management oversight, security controls and processes, technology/ automation for centralized vendor management, vendor assessment, risk analysis, and reporting, organizations will be at a disadvantage in fully securing their third parties.
“I think our top challenge is just to develop a process to manage third-party risk that all parties can abide by and that works.”
Despite issues with reduced budgets and funding, many respondents said their organization is planning to invest in technology and staffing at some level to help mitigate third-party risk in the next 12 months. Overall, more than half (56%) said they expected “some investment” and 23% expected a “limited investment.” Only 14% indicated their organization was planning a significant investment in resources and technology to manage third-party risks. The level of investment is, of course, associated with organization size: while there were no respondents from small organizations (less than 100 employees) who said they expect a significant third-party risk management investment in 2023, 27% from the largest organizations anticipate significant investments in this area.
To learn more about how organizations are approaching third-party risk today, download the full CyberRisk Alliance Business Intelligence report, sponsored by AuditBoard: Third-Party Risk: More Third Parties + Limited Supply-Chain Visibility = Big Risks for Organizations.