More than half of the respondents to a CRA Business Intelligence survey (57%) say they were victims of an IT security incident related to a third-party partner in the past 24 months. ("Coding Javascript" by Christiaan Colen is marked with CC BY-SA 2.0.)

Respondents from CRA Business Intelligence’s recent Third-Party Risk Survey believe that third parties are increasingly the cause of IT security incidents — and some say they have been the primary source of attacks in the past two years.

As a result, organizations are now emphasizing third-party risk, and many are devoting more attention to risk management around third parties. Respondents say their increased depen­dency on vendors and other partners such as manufacturers, suppliers, and subcontractors, as well as increasingly complex supply chains, lack of visibility into third- and fourth-party partners, and the vast scope of data accessible to them, have vastly increased their exposure to attacks.

This trend, combined with a greater global presence, use of more diversified applications, programs, and cloud technologies, and the complexity and persistence of supply chain threats and threat actors are the catalysts for recognizing and addressing the risk exposure and potential liabilities from attacks and breaches origi­nating from third parties.

The CRA survey on cybersecurity attacks originating from third parties was based on an online survey conducted in November 2022 among 209 security and IT leaders and executives, security administrators, and compliance professionals in the U.S. from CRA’s Business Intelligence research panel. The following are the leading takeaways from the survey:

  • Most respondents are increasingly working with more third-party products and services. The overall average estimated number of third-party partners (including software vendors, IT service providers, business partners, brokers, subcontractors, contract manufacturers, distributors, agents, and resellers) among all respondents is 88. This estimate varies with organization size: large enterprises have roughly 173 third-party partners and are much more likely to have the most complex supply chains.
  • Most respondents have been the victim of a third-party breach. More than half of all respondents (57%) reported they were victims of an IT security incident — either an attack or a breach — related to a third-party partner in the past 24 months. On average, organizations experienced two third-party-related security incidents (attacks or breaches) in the past two years. This number increases with organization size, with respondents from the largest organizations estimate they experienced an average of five incidents during this period.
  • The majority say a software vendor was the source of the attack. Among those whose organizations were afflicted, 52% said the source of their attack was a software vendor. And for nearly 4 in 10 respondents (39%), a business partner, subcontractor, or IT service provider was responsible for the incident.
  • Network outages/downtime are the leading results of a third-party attack. About 8 in 10 respondents said they experienced one or more consequences from these attacks. The most common were network outages/downtime, reported by 31%, and disruption in customer service (28%). Another 27% suffered a business disruption or shutdown, while 24% said their data was stolen/exfiltrated. One in five respondents also reported financial losses or supply chain disruptions.
  • Security and IT staff are concerned about lack of qualified staff, tight budgets. Concerns about managing third-party risks centered around the lack of human resources, budgets, and technology solutions. Nearly half of all respondents (49%) rated the lack of qualified staff to implement a third-party management program as highly concerning (rating this a 5, 6, or 7 out of 7), while the lack of visibility into third-party risks (45%), insufficient budget (44%), and lack of an automated third-party

So given all these challenges will companies do something about third-party risk? For the most part, expect some movement at larger organizations.

Overall, more than half (56%) say they expected “some investment” and 23% expected a “limited investment” in third-party risk management technology or resources in the next 12 months. While there were no respondents from small organizations who said they expect a significant third-party risk management investment in 2023, 27% from the largest organizations anticipate significant investment this year.