Report: 54% of organizations have experienced a third-party breach in the past 12 months

Were you unable to attend Transform 2022? Check out all the summits in our on-demand library now! Look here.

Cyber ​​attacks through an organization’s vendors or suppliers are severely underreported. According to new research from the Ponemon Institute and Mastercard’s RiskRecon, only 34% of organizations are confident that their suppliers will notify them of a breach of their sensitive information.

Organizations rely on their third-party vendors to provide such important services as payroll, software development or data processing. However, without strong security controls in place, vendors, suppliers, contractors or business partners can put organizations at risk of a third-party data breach.

Unfortunately, new research from the Ponemon Institute and Mastercard’s RiskRecon provides evidence that third-party data breaches may be underreported, as only 34% of organizations are confident that their suppliers will notify them of a data breach involving their sensitive information.

Image source: RiskRecon

This helps explain why weak third-party security controls continue to be a chink in the armor for businesses, as 59% of respondents confirm that their organizations have experienced a data breach caused by one of their third parties, with 54% having occurred in the previous 12 months.


MetaBeat 2022

MetaBeat will bring together thought leaders to provide guidance on how metaverse technology will transform the way all industries communicate and do business on October 4th in San Francisco, CA.

Register here

The problem also extends downstream, as 38% of organizations say the breach was caused by one of their “Nth parties,” indicating the failures of third-party security controls in place for their vendors and partners. As a result, only 21% of organizations are confident that their Nth party would notify them of a breach.

There are several key best practices organizations should follow to reduce third-party cyber risk, but the research shows that more work needs to be done. These include creating and maintaining an inventory of all third parties and frequently evaluating their security and privacy controls. Unfortunately, the research found that only 36% of organizations do so when entering into a relationship, while only 43% review these checks regularly.

The main reasons why organizations do not follow such best practice are a lack of accountability and involvement from the boards. Surprisingly, only 18% of organizations report that the CISO is responsible, while 35% report that third-party cyber risk is not a board-level priority.

The RiskRecon 2022 Data Risk in the Third-Party Ecosystem study is based on a survey of 1,162 IT and IT security professionals in North America and Western Europe conducted by the Ponemon Institute from May 2 – June 30, 2022.

Read the full report from RiskRecon and the Ponemon Institute.

VentureBeat’s mission will be a digital town square for technical decision makers to gain knowledge about transformative business technology and transactions. Discover our orientations.

Leave a Reply

Your email address will not be published.