The vast majority (84%) of global organizations host critical or sensitive assets with third-party vendors, according to a comprehensive study published by The Cyentia Institute and commissioned by RiskRecon.
The study analyzed the third- and fourth-party cyber risks of 18,000 organizations across 200 countries and found that the average firm has 22 internet-facing hosts, while some maintain more than 100,000 hosts. “That matters because protecting a large internet presence is a different ballgame than protecting a tiny one, regardless of any other factors,” the report said.
Additional findings revealed that 27% of companies host their assets with at least 10 external providers. Overall, 65% are hosted on a netblock that is owned by an external entity, with 57% of firms using hosts in multiple countries.
The growth of data dispersion has been enabled by the cloud, yet global companies are starting to see that putting sensitive enterprise and consumer data in the hands of external players creates vulnerabilities. In addition, high-value assets are three times as likely to have severe findings off-premise than on-premise, the report found.
“Since a huge portion of a modern organization’s value-generating activities relies on internet-enabled processes and 3rd party relationships, that surface is much more extensive than one might expect. In this section, we identify and measure key aspects of the internet risk surface through the data sample collected,” the report said.
“Your risk surface is anywhere your ability to operate, your reputation, your assets, your legal obligations or your regulatory compliance is at risk,” explained Kelly White, RiskRecon’s CEO and co-founder, in a press release.
“The digital transformation has moved the enterprise risk surface well beyond the internal enterprise network, with 65% of all enterprise internet-facing systems hosted with third-party providers. The data show that enterprises are not keeping up, with the security of internally hosted systems being much better managed than third-party hosted systems. This dilemma has now become critical because organizations are failing to understand how to manage their entire risk surface based on the volume of external digital exposure they face.”