More than 8 in 10 security professionals say they are concerned about risks to suppliers and third parties, according to a report by Proofpoint and the Cloud Security Alliance. (Air Force)

Proofpoint and the Cloud Security Alliance on Wednesday released a report finding that 81% of security pros are “moderately” to “highly concerned” about risks surrounding suppliers and partners, with some 48% concerned about potential data loss as a result of supply chain risks.

The researchers said the high level of concern was warranted because 58% say that third parties and suppliers were the target of a cloud-based breach in 2021, raising the specter of more supply chain woes among enterprises.

“As organizations adopt cloud infrastructures to support their remote and hybrid work environments, they must not forget that people are the new perimeter,” said Mayank Choudhary, executive vice president and general manager of information protection, cloud security and compliance at Proofpoint. “It’s an organization’s responsibility to properly train and educate employees and stakeholders on how to identify, resist and report attacks before damage is done.”

Organizations are right to have concerns about data loss in the cloud, said Shira Shamban, CEO at Solvo, who added that one of the many byproducts of cloud technology adoption is the loss of governance. Shamban said too often sensitive data gets found in the wrong places and it’s not appropriately secured.

“However, it’s not realistic to not store data in the cloud. Organizations must instead incorporate adequate security measures,” Shamban said. “This includes minimizing the usage and storage of data in the cloud to only data that’s necessary to perform an action, and to be very specific as to who can access the data.”

Boris Gorin, co-founder and CEO at Canonic Security, added the most interesting finding is that nearly 60% of organizations surveyed indicated that third parties and suppliers were the target of a cloud-based breach.

Gorin said he wondered how many of the organizations had an inventory of all their third-party integrations and add-ons. What access and reach do these integrations have in their environments, Gorin asked, and how many of them are active at all?

“Third-party risk is one of the only areas in security today where the challenge still focuses on defining the approach and policies rather than executing them,” Gorin said. “Most breaches happen because we didn't execute on a policy — not because we didn't have one. Today, we manage risk of known vendors we have partnered with rather than measuring the impact third-party integrations have on our environment — which may be a whole different set of vendors entirely.”