In business, third-party vendors and partners can open the door to significantly increased risk of cyberattacks—as evidenced most famously by the Target breach, where hackers entered using HVAC contractor credentials. But the aftermath can be a company-killer: Ponemon Institute researchers found that in the past 12 months, organizations spent an average of $10 million to respond to a security incident as a result of negligent or malicious third parties.
The firm’s latest report also found that third-party risk is only increasing with the growth in disruptive technologies such as the internet of things (IoT) and cloud security—70% of respondents acknowledged it as a ballooning issue. However, only 8% of respondents say improvement of their organizations' relationship with business partners is a top risk management objective. So the risk associated with third parties is growing, but the C-Suite and Board level are not prioritizing this issue.
In fact, in many organizations, there's not only no clear accountability around risk management, because most companies don't even have metrics to measure the effectiveness of risk management activities. Further, many of them don't even know what high value or sensitive data is in the hands of those third parties in the first place.
"The threat landscape is constantly evolving, and as a result, third party risk is only going to increase," said Larry Ponemon, chairman and founder of the Ponemon Institute. "It has become imperative for organizations to create formal programs for vendor risk management in order to avoid being compromised, and more importantly, business leaders need to set a strong example."
A full 71% of respondents said that management involvement makes a difference: When this “tone at the top” is part of an organization's risk management strategy, the risk of working with third parties that are not trustworthy is reduced.
And, 81% of respondents in financial services say that a strong tone at the top is essential to mitigating business risk. Yet, only 7% of respondents in financial services say that improving the organization's relationship with business partners is a top risk management priority.
Yet in all, half (50%) of respondents said that they do not believe the risk management process is aligned with business goals. And 11% of respondents say their organizations are very effective at communicating values throughout the enterprise or to business partners, vendors and other third parties.
"If management exemplifies honesty, integrity and ethics, it is much more likely that employees will work to uphold those same values. As a result, there will be a decrease in risks caused by insider negligence and third party relationships," said Charlie Miller, senior vice president with the Shared Assessments Program, which commissioned the research. "This study clearly demonstrates that not only is there a major risk issue stemming from vendor and partner relationships, but the highest level of organizations, the Board and C-Suite, need to better communicate their values across the enterprise, setting a positive tone and creating formal programs to mitigate this risk, ultimately helping companies to improve their risk management practices."
Photo © Leowolfert