Opus, the leading provider of global compliance and risk management solutions, today announced the results of the second annual Ponemon Institute Data Risk in the Third- Party Ecosystem study. Sponsored by Opus, the study uncovers the security risk companies face when sharing sensitive information with third parties. 

Cyberattacks – like the recent Equifax data breach – are becoming more and more common. One of the leading risks companies face when defending against cyberattacks are those brought on by their third-party ecosystem. In fact, fifty-six percent of companies surveyed by Ponemon experienced a data breach caused by a third party, a seven percent increase from 2016. The survey also found that 42 percent of companies experienced cyberattacks against third parties that resulted in the misuse of their company’s sensitive or confidential information, an 8 percent increase from 2016. Three-quarters of organizations said they believed the total number of cyber security incidents involving third parties are “increasing.”

The survey found that the effectiveness in managing third party risks remained low.  Fewer than one in five companies – 17 percent – felt their organizations effectively managed third party risk.   And less than half of all respondents said that managing outsourced relationship risks is a priority in their organization.

One of the key deficiencies identified in the study was that companies lacked visibility into their third-party relationships. Although the number of third parties with access to confidential or sensitive information has increased by 25 percent, compared with 2016, more than half of the companies do not keep a comprehensive inventory of all third parties with whom they share sensitive information. And, only 18 percent of respondents know how Nth parties access and process data. 

Dov Goldman, VP, Innovation & Alliances of Opus, said, “Cyber-criminals continue to target weak links because companies are failing to successful manage risk. Smart companies are learning from those that have implemented clearly defined third-party risk management programs supported by good governance and robust technology.”

The study identified a strong correlation between implementing certain governance and IT security practices and a reduction in third-party data breaches. These practices include:

Evaluating security and privacy practices of all third parties. Supplement contractual agreements with audits and assessments. Organizations that adopted these practices were 20 percent less likely to experience a breach.

Creating an inventory of all third parties with whom information is shared. Organizations should prioritize visibility into third party data – and learn whether they share this data with others. Organizations with a comprehensive inventory were 19 percent less likely to experience a breach.

Oversight by board of directors in third-party risk management programs.  This includes regular reports on the effectiveness of these programs based on the assessment, management and monitoring of third-party.  Organizations whose board of directors requires assurances that third-party risks are effectively being managed were 10 percent less likely to experience a breach.