Companies in the United States aren’t confident that third-party vendors (or providers hired by their vendors) would inform them about breaches involving sensitive and confidential information, a recent survey from the Ponemon Institute reveals.
The study (PDF), Data Risk in the Third Party Ecosystem, focused on the concerns that companies have about their third-party vendors, and also looked into the businesses’ perception of fourth-nth-party vendors (indirect service providers or subcontractors).
The survey found that 37 percent of respondents don’t believe their third-party vendor would notify them in the event of data breach, while 73 percent believe that a fourth-nth-party vendor would not notify them. The study reminded that companies have both direct and indirect relationships with third parties and fourth-nth parties that are important in meeting business needs.
However, despite a large number of interactions, companies can’t easily detect and mitigate risks associated with third parties that have access to confidential and/or sensitive company information, the study found.
The report shows that companies are often uncertain if their third parties experienced a data breach, with 49 percent of respondents confirming a data breach caused by a third-party vendor, while 16 revealing they were unsure. While 73 percent of respondents said the number of cybersecurity incidents involving vendors is increasing, 65 percent say that they find it difficult to manage cybersecurity incidents involving vendors.
Although they are not able to determine if a vendor’s safeguards and security policies are sufficient to prevent a data breach, 58 percent of respondents still share sensitive data. Only 41 percent of respondents said they were confident in their vendors’ data safeguards and security policies as being sufficient to respond effectively to a data breach.
According to the survey, just 31 percent of respondents believe their vendor’s risk management program is highly effective, yet only 38 percent track the effectiveness of the vendor risk management program. Only 48 percent of respondents said they have a vendor risk management committee. What’s more, 62 percent of respondents said their board of directors does not require assurances that vendor risk is being assessed, managed or monitored appropriately, or they were unsure.
Earlier this year, Google decided to open source its Vendor Security Assessment Questionnaire (VSAQ) framework to help companies improve their security programs. The interactive questionnaire application was developed to support security reviews by facilitating the collection of information and allowing users to display it in a template form. Google uses such questionnaires to evaluate third-party vendors’ security and privacy posture, but the company pointed out that they can also be used for self-assessment or for becoming familiar with security issues.
“Despite the number of publicized data breaches throughout the US, there continues to be a significant lack of confidence and understanding within companies as to whether their security posture is sufficient to respond to a data breach or cyberattack. In fact, 60 percent of respondents said their companies still do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information, often citing lack of having the internal resources to check or verify or that the third party will not allow for independent monitoring,” Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, said.
Conducted by the Ponemon Institute, the survey was commissioned by BuckleySandler LLP and Treliant Risk Advisors LLC.
Related: Cyber Security Risk Underestimated at Nuclear Facilities: Report
Related: The NIST Cybersecurity Framework Revisited