Report: 54% of organizations breached through third parties in the last 12 months

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

Cyberattacks through an organization’s vendors or suppliers are greatly underreported. According to new research from Ponemon Institute and Mastercard’s RiskRecon, only 34% of organizations are confident their suppliers would notify them of a breach of their sensitive information.

Organizations are dependent upon their third-party vendors to provide such important services as payroll, software development or data processing. However, without having strong security controls in place, vendors, suppliers, contractors or business partners can put organizations at risk for a third-party data breach.

Unfortunately, new research by Ponemon Institute and Mastercard’s RiskRecon provides evidence that third-party data breaches may be underreported, as only 34% of organizations are confident their vendors would notify them of a data breach involving their sensitive information.

Image source: RiskRecon

This helps explain why weak third-party security controls continue to be a chink in the armor for enterprises, as 59% of respondents confirm that their organizations have experienced a data breach caused by one of their third parties, with 54% occurring in the past 12 months.


MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

The issue extends downstream as well, as 38% of organizations say the breach was caused by one of their “Nth parties,” indicating the flaws in third parties’ security controls that are in place for their vendors and partners. As a result, only 21% of organizations are confident that their Nth party would notify them of a breach.

There are several key best practices organizations should follow to mitigate third-party cyber-risk, yet the research shows more work needs to be done. These include creating and maintaining an inventory of all third parties and frequently evaluating their security and privacy controls. Unfortunately, the research found that only 36% of organizations do so when entering a relationship, while only 43% regularly review those controls.

The primary reasons organizations are not following such best practices are lack of accountability and involvement by boards of directors. Surprisingly, only 18% of organizations report that the CISO is accountable, while 35% report that third-party cyber-risk is not a board-level priority.

The RiskRecon 2022 Data Risk in the Third-Party Ecosystem study is based on a survey of 1,162 IT and IT security professionals in North America and Western Europe conducted by the Ponemon Institute from May 2 – June 30, 2022.

Read the full report from RiskRecon and Ponemon Institute.

Originally appeared on: TheSpuzz