Opus, the provider of global compliance and risk management solutions, announced Thursday (Nov. 15) the results of the third annual Ponemon Institute's “Data Risk in the Third-Party Ecosystem” study, which found that 59 percent of companies surveyed said they have experienced a data breach caused by their vendors or third parties.
In a press release announcing the results of the survey of more than 1,000 CISOs and other security and risk professionals across the U.S. and U.K., Opus said that in the U.S., the percentage of companies that faced a data breach because of a vendor or third party was higher at 61 percent, which is up 5 percent from last year and 12 percent from 2016. The research also found that 22 percent of respondents admitted they didn't know if they had a third-party data breach during the past 12 months, and more than three-quarters of companies think third-party cybersecurity breaches are increasing.
“The third-party ecosystem is an ideal environment for cybercriminals looking to infiltrate an organization, and the risk only grows as these networks become larger and more complex,” said Dov Goldman, VP of innovation and alliances at Opus, in the press release. “To stay ahead of the risk, companies and executives need to collaborate around plans for third-party detection and mitigation that supports automated technology and strong governance practices.”
According to Opus, one of the major reasons companies don't know what's going on with their vendors is that the third-party landscape has gotten increasingly complex, and companies are becoming increasingly reliant on outside vendors. Opus said that on average, companies share confidential and sensitive information with around 583 third parties, yet only 34 percent keep a comprehensive inventory of those parties.
The company also noted that 69 percent of respondents indicated that a lack of centralized control was the key reason for not having a comprehensive inventory of third parties. Other reasons included a lack of resources and the complexity of third-party relationships. What's more, Opus found that less than half of all companies said that management of third-party relationship risks is effective and a priority within the company, with only 37 percent indicating that they have sufficient resources to manage those relationships.
“While corporate executives understand the implications of a data breach or cyberattack to their business, far fewer are aware of the source of these attacks and the vulnerabilities that their organizations need to address to properly secure their data,” commented Dr. Larry Ponemon in the same press release. “Considering the explosive growth of outsourced technology services and the rising volume of third parties, companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.”