Report: 54% of organizations have infringed through third parties in the past 12 months

Couldn’t attend Transform 2022? Check out all the top sessions in our on-demand library now! Look here.

Cyber ​​attacks via suppliers or suppliers of an organization are reported far too little. According to new research from Ponemon Institute and Mastercard’s RiskRecon, only 34% of organizations are confident their suppliers would notify them of a breach of their sensitive information.

Organizations depend on their third-party suppliers to provide key services such as payroll, software development or data processing. However, without strong security controls, vendors, suppliers, contractors, or business partners can put organizations at risk of a third-party data breach.

Unfortunately, new research by Ponemon Institute and Mastercard’s RiskRecon provides evidence that third-party data breaches may be underreported, as only 34% of organizations trust their suppliers would notify them of a data breach involving their sensitive information.

Image source: RiskRecon

This helps explain why weak third-party security controls are still a hitch for enterprises, as 59% of respondents confirm that their organization has experienced a data breach caused by one of their third parties, with 54% in the past took place 12 months.


MetaBeat 2022

MetaBeat will bring together thought leaders to offer advice on how metaverse technology will change the way all industries communicate and do business October 4 in San Francisco, CA.

Register here

The problem extends downstream as well, as 38% of organizations say the breach was caused by one of their “Nth parties,” pointing to the flaws in the third-party security controls in place for their suppliers and partners. As a result, only 21% of organizations are confident that their Nth party would notify them of a breach.

There are several key best practices that organizations should follow to mitigate third-party cyber risks, but the research shows that there is still more work to be done. These include creating and maintaining an inventory of all third parties and regularly reviewing their security and privacy controls. Unfortunately, the survey found that only 36% of organizations do this when entering a relationship, while only 43% regularly review these checks.

The main reasons organizations fail to follow such best practices are a lack of board accountability and involvement. Surprisingly, only 18% of organizations report that the CISO is responsible, while 35% report that third-party cyber risks are not a board-level priority.

The RiskRecon 2022 Data Risk in the Third-Party Ecosystem study is based on a survey of 1,162 IT and IT security professionals in North America and Western Europe conducted by the Ponemon Institute from May 2 – June 30, 2022.

Read the full report from RiskRecon and Ponemon Institute.

The mission of VentureBeat is a digital city square for tech decision makers to gain knowledge about transformative business technology and transactions. Discover our briefings.

Leave a Comment