Organizations not equipped to handle increasing third-party risks
A new study into third-party risk management shows that 45 percent of organizations experienced a third-party security incident in the last year.
But the report from Prevalent also also reveals that eight percent of companies don't have a third-party incident response program in place, while 23 percent take a passive approach to third-party incident response.
Third-Party Risk Management (TPRM) is becoming more strategic but 45 percent of organizations are still using manual spreadsheets to assess third party risk. Two-thirds of respondents say that their TPRM programs have more visibility among executives and the board compared to last year. However, getting there has taken massive increases in third-party vendor and supplier-related cybersecurity issues such as Log4j, the Toyota supply chain breakdown, and the Kaseya ransomware attack.
These manual processes add unnecessary complexity and time to third-party risk audits, with 32 percent of respondents saying it takes more than a month -- more than 90 days in some cases -- to produce reporting and evidence required to meet regulatory audits.
"The past year has brought even more attention to the risks associated with third-party vendors and suppliers, specifically to the supply chain with continued cyber disruptions," says Brad Hibbert, chief strategy officer for Prevalent. "And although today's survey illustrates that organizations are starting to view their third-party management programs more strategically, there is still more progress to be made. More and more companies are starting to assess non-IT risks, which is a step in the right direction. But unfortunately, over half are not -- and that could lead to financial loss. Together with a comprehensive TPRM solution, companies can build a stronger defense against IT and reputational third-party risks."
The full report, including recommendations for benchmarking and improving TPRM processes, is available from the Prevalent site.