Public sector organizations, including federal as well as state and local agencies, find themselves in a quandary: They increasingly recognize the risk posed by overreliance on third-party vendors, but also find that rigid budgets restrict their ability to respond as security events develop.
At the same time, as part of their ordinary course of doing business and to get work done more efficiently, public sector organizations grant dozens, sometimes hundreds, of third parties access to their private networks and sensitive databases.
Despite ongoing onboarding challenges, a recent survey by CyberRisk Alliance Business Intelligence and sponsored by Security Scorecard found that 38% of total respondents currently contract with more than 100 “trusted third parties” and 13% contract with 500 or more such parties. Those in healthcare or public sector markets tend to have the highest number of trusted third parties under contract, which creates added risk. In fact, some 70% of public sector entities said their concern has increased either somewhat (50%) or significantly (20%).
Such concern levels are inversely matched by confidence levels: All sectors are worried to some degree about their ability to prevent or mitigate IT security risks associated with their third-party relationships. This is especially disconcerting for entities that partner with vendors that also use subcontractors — something that happens all the time in the public sector — a situation that often creates tiers of risk that become difficult for agencies to monitor and manage.
This CRA study, based on an online survey of 250 U.S.-based IT and cybersecurity decision-makers and influencers, also found those working for public entities had less faith in their organization’s ability to prevent third-party security threats — especially compared with their counterparts in financial services. This makes sense given the different fiscal natures of private and public entities, the latter of which normally have less budget flexibility, tend to run budgets from year-to-year and not over three-to-five years, resulting in fewer funding options.
The CRA study found that nearly one-third of the total group are very interested in adding technology solutions to their risk management programs, particularly to improve response/ remediation times, risk assessments and regulatory compliance stances. Government organizations at the state, federal and local levels especially wanted to improve response/remediation times.
Interest in technology solutions could stem from frustrations with the challenges of onboarding and retaining personnel to manage third-party risk and the intensive monitoring and managing of third-party access points required as their numbers grow, something that's especially true at large government agencies.
All vertical sectors — including government entities — were also interested in adopting zero-trust principles, which makes sense because the federal government has been a champion in promoting zero-trust for the past year. Some 22% of respondents currently incorporate a zero-trust model into their third-party risk management program. And the CRA researchers say that percentage should grow as 71% — nearly 3 in 4 — believe the zero-trust model has become very important to managing third-party risk.