This is not an opener for a sex-ed public service announcement, but in fact the million-dollar question for today's enterprise CISOs and CROs: which vendor in the supply chain will prove to be the riskiest bedfellow? With 63% of all data breaches caused directly or indirectly by third party vendors, enterprise measures to bolster cyber resilience must now include the evaluation of partners' security as part of a broader cyber risk management strategy. Easier said than done: most third parties are unlikely to admit to their security shortcomings, and—as it turns out—even if they did, most firms wouldn't believe them anyway.
According to a survey conducted by the Ponemon Institute, over a third of businesses "do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred." This resignation isn't surprising as most enterprises—their hands full securing their own infrastructures and fending off cyber attacks—grapple with third party risk as a secondary concern. This is fast changing, however, as third party data breaches are becoming the norm in today's high profile data breach incidents. Even sensitive federal agencies are subject to government contractor risk.
Timely disclosure is also increasingly required by law—in California, for instance, companies must immediately disclose a data breach to customers. In recent news, a local Texas school district was on the hook for disclosing a data breach involving SunGard K-12, a third-party student and employee data management vendor, to its students' parents. Unfortunately, most enterprise ecosystems are far more complex than this—with expansive supplier/partner networks themselves compromised of other players, one vulnerability or misconfiguration could quickly lead to the downfall of many. This is the cost of transacting in today's digital economies: the necessary risk of data loss is compounded by the extent to which one relies on partner resources to remain competitive.
"The inability of so many companies to confirm whether third parties have had a data breach or cyber attack involving sensitive and confidential information should be a wake-up call for businesses across all industries. To mitigate this risk, companies should compile a comprehensive inventory of and conduct data and privacy risk assessments for all third-party vendors; however, we found that few companies represented in this research, in particular those outside the regulated banking sector, have done so."
So how do risky partners increase an organization's cyber risk exposure? Security compromises will occur in any number of ways, but at the end of the day, determining the likelihood of a particular vendor falling victim to a data breach is far more crucial than figuring out how the inevitable will happen. Vendor risk assessments can begin to answer the questions, but real resilience requires more. The most straightforward way to mitigate risk is to first quantify it—in UpGuard's resilience platform, this measure is known as its CSR (Cyber Security Rating).
For third party vendor assessments, a would-be partner's external CSR could reveal much about its enterprise security fitness. Low company and/or CEO approval rating? The firm is almost certainly more at risk to insider attacks. Website perimeter security full of gaping flaws? It may just become the weakest link in your chain of ecosystem partners—or more likely, one of many.
CSR combines the results of external risk assessments—websites, email, open ports, company profiles—with internal assessments like server and network configurations, vulnerability management, and critical infrastructure security metrics—to create a numerical value representing an organization's cyber risk posture. Find out why leading cyber risk insurance providers are relying on UpGuard and CSR to insure businesses against data breaches and foster cyber resilience.
Try out CSR by installing our CSR Chrome extension to score the websites you visit every day.