Some of the most prolific attacks on business and government organizations in 2021 were caused by vulnerabilities traced back to third-party vendors. The threat, made more real by high profile attacks like Kaseya and others, is spurring many organizations to reevaluate how they conduct business with partners.
In a study conducted in the fall of 2021 by CyberRisk Alliance Business Intelligence and sponsored by Security Scorecard, 91% of 250 U.S.-based IT and cybersecurity decision makers and influencers surveyed reported a security incident related to a third-party partner in the past year. Fifteen percent reported 20 or more partner-related incidents. One senior IT engineer in the insurance industry worried about “staying ahead of [third-party] risks as they are coming at us so quickly.” A counterpart in healthcare noted, “Too many partners, not enough resources to manage.”
Companies working in financial services were most likely to report a cyber incident involving a third-party breach. That can likely be attributed to the fact that financial services sector has long been a frequent target of cybercriminals, and is heavily regulated with strict guidelines to report these incidents to authorities.
The pandemic and the remote work movement also presented additional security challenges. Employers gave employees secure access to networks and databases remotely, sometimes over public Wi-Fi or unprotected home networks. Their vendors and contractors were challenged in the same way. Overlapping with those COVID challenges was an uptick in third-party security incidents during the last 12 months for two-thirds of respondents.
With cybersecurity incidents on the rise, it’s understandable that organizations want to reduce their risk exposure when it comes to vendors and contractors. Virtually every survey participant registered some level of concern. Most were mildly (20%) or moderately (40%) concerned, while 27% were very concerned about the threat posed, particularly those working in healthcare. Regulatory compliance was the top priority for healthcare, while those working in the public sector were most concerned with remediation times. Insurers were more likely to worry about partnerships and supply chains, and financial service providers ranked risk assessments and remote monitoring as the biggest concern.
In the healthcare sector, 32% of respondents were seriously concerned about third-party threats, which was higher than other sectors. Indeed, the stakes are higher in healthcare, where a compromised medical device can damage more than IT systems or a health system’s reputation. Ransomware gangs have long targeted regional hospital systems, knowing a disruption in service could be deadly. On top of that, pilfered patient records are more valuable than financial ones on the dark web.
On a more encouraging note, the report found a high number of organizations communicating third-party IT security risks or incidents to their boards. Among those surveyed, 73% were keeping their board informed, and another 17% intended to start supplying such information in the coming year.