According to the results of a recent NAVEX Global survey of 321 professionals involved in third-party management, fully 32 percent of respondents don’t evaluate third parties at all before engaging with them, almost half of respondents have no dedicated budget for third party risk management, and 11 percent of respondents don’t even know how many third parties they manage.
That’s in spite of several recent high-profile data breaches resulting from security flaws at third-party vendors, including those at Target and Goodwill.
Survey respondents said their top three concerns about third parties include bribery and corruption (39 percent), fraud (23 percent), and conflicts of interest (19 percent).
“Though many organizations know which third party failures they should fear, they have not built sufficient programs and processes to identify and manage those risks,” NAVEX Global vice president for advisory services and report author Randy Stephens said in a statement.
“That may indicate a disconnect between performance of individual programs and accountability for the pain of a third party failure,” Stephens added. “Whoever is managing third parties and third party risk should understand the economic risk and impact of third party compliance on the company.”
When asked to identify top objectives for their third party risk management programs, 90 percent said their key aim was to “protect our organization from risk and damage,” followed by “comply with laws and regulations” (82 percent), and to “meet legal and regulatory requirements” (71 percent).
The leading internal issues that respondents believe are undermining their third party risk management programs’ effectives are difficulty monitoring third party relationships (51 percent), limited resources for the program (51 percent), and inconsistent reporting on on third party issues (43 percent).
The leading external challenges to third party risk management programs are getting third parties to certify compliance with a company’s policies (51 percent), training third parties on a company’s policies and compliance requirements (48 percent), getting third parties to enforce a company’s ethics and compliance policies in their organizations (41 percent), and getting third parties to enforce a company’s ethics and compliance structure with their own third parties (34 percent).
Separately, a recent BitSight Technologies study of 35,635 companies highlighted the risk from fourth parties, third party vendors’ own third party vendors. “The effects of a breach may be felt well beyond the initial attack,” the report states. “This is often a result of the complex business relationships that exist.”
“For example, let’s say Company 1 is a vendor for Company 2, and this vendor outsources their services to Company 3, who was the target of a breach,” the report adds. “This attack creates a knock-on effect, where vulnerabilities introduced through the compromised service provider now provides a backdoor to hackers.”
“Organizations who ignore these interconnections leave themselves vulnerable to other attacks or system disruptions at some point in the future,” the report notes.
Over 31 percent of the companies studied are linked to Adobe Systems, which suffered a data breach in 2013; almost 40 percent of media and entertainment companies use Amazon Web Services as their content delivery network; and more than 13 percent of the aerospace and defense companies studied use IIS 6, indicating that they use Windows Server 2003, which is no longer supported.
“Though understanding your entire security ecosystem may seem like a lofty undertaking, appropriate identification, prioritization, and validation, paired with continuous monitoring, can simplify the process and eliminate the potential for a devastating disruption,” BitSight co-founder and CTO Stephen Boyer said in a statement.
A recent eSecurity Planet offered five tips on reducing third-party security risks.