Making Third-Party Risk Foolproof. Is Your Organization Ready to Assess, Manage, and Remediate Third Party and Cyber Risk?

6 min read

Key Findings from Third-Party Risk: A Turbulent Outlook Survey Report 2022

“How can we make cybersecurity foolproof?” is a question I have been asked. My answer is always the same. When it comes to cybersecurity, thinking one can achieve a foolproof status is proof of being a fool. Cybersecurity can never reach a perfect state but is a continuous journey. The question asked should then be on how one should prioritize the journey.

This journey now includes third parties as well. Over the past few years, more so with the recent pandemic, organizations are increasingly relying on third parties, including vendors and suppliers, to meet business goals and gain the much-needed competitive advantage. But as organizations choose outsourced services and software to make up for talent and supply shortages, they are also increasingly seeking effective ways to mitigate the elevated risk that third-party relationships bring.

To understand how organizations are prioritizing and managing third-party risk, MetricStream sponsored a study with thinktank CyberRisk Alliance to survey top IT and cybersecurity decision-makers and influencers from across industries and understand how well organizations managed and mitigated risks associated with third-party partnerships.

We learned a lot – mostly that third parties remain a highly critical and sensitive risk factor for cyber risk incidents like data breaches and more.

Who was surveyed?

301 IT and cybersecurity decision-makers and influencers from the United States and Canada (1%) were surveyed online in late fall 2021. CISOs (35%), IT security directors or managers (49%) and administrators, analysts and consultants (16%) across diverse industries including business or professional services, manufacturing, retail or ecommerce, high-tech/IT, and financial services and insurance, healthcare, government, non-profits, and energy & utilities were part of the survey. 64% worked at companies with less than 1,000 employees, while the remaining 36% worked at organizations with a larger workforce.

Participants were asked about their vendor relations, concerns, and challenges in managing risks, and the actions they are taking to combat third-party cyber risk.

Here are a few key highlights from the Third-Party Risk: A Turbulent Outlook Survey Report 2022:

The threat from partnerships has expediated, with 60% of cyber attacks coming from third parties

The past two years stand witness to a drastic increase in supply chain attacks, with many of the outcomes being well-publicized, such as the SolarWinds. The report survey findings highlight an accelerated threat from IT vendors and third parties:

  • 60% of respondents experienced an IT security incident in the past two years due to a third-party partner with access privileges
  • The same number was also the most likely to have sensitive data stolen or suffered some type of business outage
  • When it came to damages, some paid as much as $1 million or more with 45% incurring at least $100,000

CyberSeries: The Power of Resilience


Third-party risk mitigation and management have become a priority

Several factors including the sudden onset of the pandemic, large numbers of employees working from home, and the more recent trend where an increasing number of employees are quitting their jobs in what is being termed as “The Great Resignation” has resulted in organizations becoming dependent on IT vendors and third parties.

IT leaders recognize the elevated risk from outsourcing elements of IT functionality.

  • 76% of respondents stated that managing third-party risk was a high or critical priority
  • 70% ranked cyber as the No. 1 or No. 2 risk among their third-party/supply chain partners

The result of this heightened risk awareness is that most IT and cybersecurity teams have increased their budgets as well. Nearly half—49%--of all organizations have increased budget spending to improve third-party risk management programs.

Effective cyber third-party risk management remains a challenge

Although most IT and cybersecurity leaders are aware of the elevated risk from third-party partnerships, they are faced with multiple challenges when it comes to ensuring effective cyber vendor risk management.

Common challenges cited by survey respondents include:

  • Lack of qualified staff to implement a third-party management solution
  • Difficulty in prioritizing, assessing, and managing a large number of partners
  • Lack of resilience against attacks or malware from trusted third parties

An acute lack of visibility into supply chains and associated risk was also named as a major challenge, with 72% of respondents believing that supply chain visibility including tracking components, sub-assemblies, and final products was very or critically important. Added to this was also the lack of communication or coordination between IT security, governance, leadership, and procurement teams.

IT and cybersecurity teams also faced challenges around evaluating who would do the risk evaluation.

Currently, more than half (54%) relied on their third-party partners’ assessments, while the remaining 43% hired an outside service.

Get the Full Report: Third-Party Risk: A Turbulent Outlook Survey Report 2022

Register for the Webinar on 22 Feb 2022: What’s Next in CyberRisk? Third-Party Risk: A Turbulent Outlook

Tune in to listen to a team of experts who will review the key findings of the Cyber Risk Alliance Report, “Third Party Risk Lurking in the Shadows" as well as discuss practical recommendations for actively managing cyber risk.

Power What’s Next by Leveraging CyberGRC SaaS Solutions

Effective management and mitigation of third-party cyber risks requires regular updating of policies and re-examination of procedures, replacement of obsolete tools, periodical review of partnerships, and developing and/or adopting of new frameworks.

Organizations will also need adequate visibility into vendor and third-party activity, seamless collaboration between various teams, and a quick remediation plan in place in the event of a security incident. Digital tools built to assess and mitigate third and fourth-party risk are the way forward for organizations seeking to manage vendor and third-party risks in a streamlined and consistent manner.

MetricStream’s CyberGRC can effectively keep third-party risks in check with the IT Vendor Risk and Third-Party Risk Management solution which provides integrated, real-time visibility into the vendor ecosystem and empowers organizations to gain an in-depth view of risks of both third and fourth-party vendors. Additionally, with the automation of vendor information management, vendor onboarding, continuous monitoring, vendor risk, compliance and control assessments, and risk mitigation, organizations gain a single and simple tool to manage their IT vendor and third-party risks.

Managing and mitigating third-party risks is a continuous and ongoing process. Supply chain, third-party, and vendor cyber risks will keep escalating as organizations continue to be driven by the many benefits that an extended enterprise brings. To stay ahead, organizations will need to amp up their protection to assess, manage, and mitigate risks. Click here to read what else the CISOs had to say about managing and monitoring third-party risk – and contact us to see how MetricStream can help! Request a custom demo now.

This is the second blog in the “CyberSeries: The Power of Resilience” blog series. As CISOs, CIOs, and board members all grapple with the challenge of cyber risk, we bring you what’s next when it comes to effectively measuring, managing, and mitigating risks in today’s complex and volatile environment. Read the first blog on Five Critical Capabilities to Prepare for Effective Cyber Risk Management.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.