Small can be ugly when it comes to third-party cybersecurity
Digital transformation initiatives often involve closer relationships with other businesses, but these can expose a company to additional risk if the other party's security isn't up to scratch.
New research from CyberGRX, based on data collected from the third parties on its exchange, finds that company size correlates with the maturity of cybersecurity programs, more specifically, as companies get smaller, they have fewer controls in place and less mature programs.
A recent Ponemon report says that 82 percent of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate.
When there are many third parties in an enterprise's vendor ecosystem, it becomes challenging -- but more important than ever -- to know each organization's control coverage. CyberGRX highlights four 'control groups' that need to be addressed:
- Strategic controls that address cybersecurity and privacy policies, planning, and governance.
- Operational controls that cover everyday security activities such as threat analysis, incident response, and vulnerability management.
- Core controls made up of technical safeguards like data encryption, key management, and endpoint protection.
- Management controls which focus on security-related processes or functions such as configuration and change management or third-party risk management.
The research shows that companies with revenues of $1M-$10M have lower coverage across all control groups, particularly in Core controls (82 percent) and Management controls (78 percent). This underlines the fact that doing complete due diligence on all vendors, regardless of size, is vital.
The report's authors conclude, "Just paying attention to surface-level cybersecurity data or performing outside-in scanning, for example, is only the tip of the iceberg. In order to get complete visibility into the cyber health of third parties, companies should know the maturity levels of the vendors' security programs. This is because having programs that are efficient, scalable, and adaptable means more security for your business as well."
You can read more about the findings on the CyberGRX blog.