Member Article

New report pits expectation against reality in third-party risk assessments

Businesses in the UK may be inadvertently opening themselves up to increased supply chain risk due to improper assessments of cybersecurity controls, according to a new report.

As more organisations use third party services, the risk to sensitive data increases. However, many fail to understand or properly monitor the security posture of their supply chains, which are often lacking due to reduced resources or time. To put this into perspective, cybersecurity risk assessment expert CyberVadis has launched a new report, ‘Supply chain cybersecurity: 5 key challenges to overcome’, to understand where common reporting gaps lie, and how businesses can improve their security profile when using third-parties.

For this report, CyberVadis collected the self-assessed declarations of cybersecurity controls of more than 1,200 organisations in the US, EMEA and APAC and analysed the results against its own assessment, which is based on a thorough, certified demonstration of these measures. The report focuses on five key areas of cybersecurity – data privacy, access management, cloud security, incident detection and response (IDR) and business continuity – to uncover potential reporting gaps that could lead to increased third party risk through uncertified assessments.

“As we look to post-pandemic strategies, many companies are still grappling with risk management, and complexity increases for larger organisations – many of which have been running to stand still as digitalisation projects accelerated during the last twelve months,” said Thibault Lapédagne, Head of Cybersecurity Research at CyberVadis. “This report shines a light on inherent risks to businesses, especially those associated with partners and suppliers that have incorrectly analysed their own security profile and subsequently pose third party cybercrime risks.”

Among its findings, the report found that data privacy due diligence does not always extend to procurement. While most organisations are aware of GDPR requirements, too many focus on internal data processing policies and overlook the threat posed by third parties. CyberVadis analysts found less than one in three organisations (29%) have evaluated the risks associated with potential non-compliance with data privacy regulations. While 49% of organisations do train their employees on appropriate data protection practices, just 22% make sure that their procurement process includes dedicated controls for compliance and data privacy.

As the COVID-19 pandemic accelerated the move to remote operations, the report found that businesses are enabling remote access, but not always securely. Two thirds (62%) reported that they allow remote access to their systems – but CyberVadis found that of the rated companies, just 44% have deployed a secure remote access solution. Slightly more concerning is that 37% have implemented advanced authentication methods for high-privilege accounts and only 25% of rated organisations have defined a third-party access management.

In further demonstration of a rapid migration to the cloud, 81% of organisations declared using cloud models at present, however there is a serious risk of malicious breaches caused by misconfigured clouds and the report found this to be an area requiring the most improvement. CyberVadis assessments showed that only 26% of organisations manage the risks associated with their cloud providers, 30% ensure their cloud provider has an incident response strategy and 34% ensure their cloud providers have a business continuity plan.

Lastly, the trend shows that incident management processes do not include SIEMs, or prevent recurrence. For today’s businesses data breaches are a matter of when, not if, so they must take adequate steps to prepare. Strong incident detection and response capabilities are central to that, enabling cyber-attacks to be contained at an early stage before lasting damage is caused. Encouragingly, 75% of rated companies have defined an incident management process, however just 32% have deployed a Security Information and Event Management (SIEM) solution and only 32% have a ‘lessons learned’ process to identify the root-cause of incidents and reduce the probability of recurrence.

“When it comes to third-party suppliers, businesses cannot rely on the self-assessment of those vendors – as a breach resulting from a simple misrepresentation could lead to significant financial and reputational damage,” continued Lapédagne. “While some of our research findings are encouraging, there are still concerning gaps to remind us that security assessments must always be based on evidence and fact, rather than subjective declarations from your suppliers. Our analyst-validated audits map to all major international compliance standards, improving trust across organisations and their suppliers.”

This was posted in Bdaily's Members' News section by D Baker .