Third-party cyber risk management is a burden on human and financial resources
Organizations and third parties see their third-party cyber risk management (TPCRM) practices as important but ineffective.
There are four major takeaways for key decision makers:
- Current practices and technologies used to support TPCRM and assess third parties are costly, inadequate and inefficient.
- Investing in better assessment and vetting tools can increase effectiveness in TPCRM while decreasing the cost of maintaining the program.
- Applying the same approach to all third parties can be quite costly. Taking the time to prioritize third parties and apply an appropriate level of due diligence to them will reduce costs and increase efficiencies in the long run.
- Control over budgets for TPCRM is dispersed throughout the organization which can make the allocation of resources inefficient because of competing interests.
These are the results of the Cost of Third-Party Cybersecurity Risk Management study announced by CyberGRX and executed by Ponemon Institute, surveying over 600 IT security professionals.
The survey respondents come from a variety of industries and are all directly involved in managing their organizations’ TPCRM programs.
These findings reinforce CyberGRX’s position that current TPCRM practices are not only draining resources but providing limited value in return. Over 53% of respondents experienced a third-party data breach in the past 2 years, costing them on average $7.5 million, yet surprisingly, the market has yet to adopt new approaches to manage third party cyber risk.
For instance, over 80% of respondents agreed that vetting and assessing third parties is critical, however 60% remain disheartened that their current vetting processes aren’t working. Even when an assessment uncovers a third-party security gap, organizations do not proactively mitigate these risks.
Only 24% confirm that their organizations collaborate with third parties to improve their security measures. And even still, organizations will request—not require—that third parties mitigate identified security gaps.
One of the most striking takeaways is the disparity in time spent by third parties on assessments and lack of perceived value and action taken by the receiving organizations. By and large, organizations still primarily use manual procedures such as spreadsheets (40%) and/or risk scanning tools (51%) to assess their third parties.
54% of these organizations, however, feel the results of these assessments provide at best, only somewhat valuable information. Meanwhile, third parties are spending, on average, 15,000 hours a year completing manual spreadsheets in order to maintain relationships with their customers, even though their customers only take action on 8% of those assessments.
The results of this study illustrate beyond a doubt, that organizations and their third parties are wasting critical human and financial resources on programs that aren’t optimized to help them reduce cyber risk in their shared ecosystems.
“The current state of third-party cyber risk management is failing,” said David Monahan, Senior Analyst, EMA. “It is far too manual and therefore does not scale. To add to that, most of the programs rely on qualitative information that is often poorly verified. This generates a huge amount of labor for results that, as the research shows, holds little confidence on both the part of the target of evaluation and the recipient. We must move to a far more scalable and quantitative method of evaluation to reduce third-party cyber exposure and bring confidence back to this process.”
Third-party data breaches continue to be an extensive problem. Until organizations adopt TPCRM methods that provide greater and actionable visibility into third-party risks, at scale, human and financial resources will continue to be exhausted and third-party incidents will continue to threaten our data and ecosystems.