Updated: Apr 13, 2020
Not many companies have a comprehensive inventory of the third-party suppliers that they work with. Ponemon Institute surveyed 1,028 professionals, and results showed that only 34% of the respondents have shown confidence regarding this matter from the US and the UK in their “Data Risk in the Third-Party Ecosystem”.
The frequency of third-party breaches in the US is significant and is currently on the rise, growing from 56% in 2017 to 61% this year. Data on this matter in the UK, however, is limited due to the fact that the country has just started doing these surveys in 2018.
Approximately 75% of them have said that the third-party security incidents involving vendors have increased and part of the reason is too much reliance on their use. In the US alone, there has been a 25% increase in 2017 on third-party suppliers.
Companies are struggling to have an inventory on all their suppliers mainly due to the absence of centralized control and the difficulty that comes along with it, according to 69% of them.
Only 15% are aware of how their information is being accessed and processed by their companies while only 28% receive notifications whenever their information is shared with a third party.
Many are clueless about the extent of the problem as only 37% have claimed that they have sufficient resources to handle their relationship with third parties and 35% have said that their third-party risk management program is ‘very effective’. To make things worse, 22% of the respondents couldn’t tell if they’ve experienced a third-party breach last year.
However, being vigilant of the third parties that you work with isn’t enough. About 60% of companies with an inventory are not certain about the strength of their safeguard to prevent a breach and less than half of them only evaluates the security practices of their vendors. Plus, about 60% of the company does not have enough resources to verify vendors for security and about the same amount does not require third-parties to complete questionnaires and security assessments.
It’s not all bad news however as companies that haven’t reported breaches from third parties report stronger focus on the management of their third party. Among those companies, 60% claim that they are investing in vendor management processes. On the other hand, only 15% of breached companies are said to have the same level of focus.
Companies should limit the number of people who they share their information and confidential data. A formal process should be in place for reviewing and managing the privacy of vendors and be able to handle new and emerging threats.
Supply chains are an extremely complex multi-stakeholder environment,” according to Ophir Gaathon, CEO and co-founder of Dust Identity. “Currently there are wide gaps in what technology can cover that leave unaddressed vulnerabilities.”