As we look to post-pandemic strategies, many businesses are still grappling with risk management and complexity increases for larger organisations, many of which have been running to stand still as digitalisation projects accelerated during the last twelve months. What’s more, as more organisations use third party services, the risk to sensitive data increases. However, many fail to understand or properly monitor the security posture of their supply chains, which are often lacking due to reduced resources or time.
To put this into perspective, cybersecurity risk assessment expert CyberVadis has launched a new report to understand common reporting gaps, and how businesses can improve their security profile when using third-parties. The report focuses on five key areas of cybersecurity – data privacy, access management, cloud security, incident detection and response (IDR) and business continuity – to understand the nature of third party risk through uncertified assessments. By shining a light on these inherent risks to businesses, especially where partners and suppliers have incorrectly analysed their own security profile, CyberVadis has identified where third party cybercrime risks lie.
Among its findings, CyberVadis found that data privacy due diligence doesn’t always extend to procurement. While most organisations are aware of GDPR requirements, too many focus on internal data processing policies and overlook the threat posed by third parties. CyberVadis analysts found less than one in three organisations (29%) have evaluated the risks associated with potential non-compliance with data privacy regulations. While 49% of organisations do train their employees on appropriate data protection practices, just 22% make sure that their procurement process includes dedicated controls for compliance and data privacy.
As the COVID-19 pandemic accelerated the move to remote operations, the report found that organisations are enabling remote access, but not always securely. Two thirds (62%) of organisations reported that they allow remote access to their systems – but CyberVadis found that of the rated companies, just 44% have deployed a secure remote access solution. Slightly more concerning is that 37% have implemented advanced authentication methods for high-privilege accounts and only 25% of rated organisations have defined a third-party access management.
2020 also highlighted the importance of anticipating unplanned events and implementing the necessary measures to manage a critical situation. Despite this, the report shows various crisis management shortcomings among the rated organisations. In their initial self-reporting, 95% of business leaders cite this as an area for improvement. CyberVadis assessments verify this, as just 44% of rated organisations have defined a business continuity plan, and 22% test their plan regularly. CyberVadis analysts also found that only 24% of rated organisations have defined crisis management and a mere 4% conduct periodic crisis exercises. This is worrying, as a good crisis management plan involves the dedicated team being well trained and prepared to react promptly if a major event occurs.
In further demonstration of a rapid migration to the cloud, 81% of organisations declared using cloud models at present, however there is a serious risk of malicious breaches caused by misconfigured clouds and the report found this to be an area requiring the most improvement. CyberVadis assessments showed that only 26% of organisations manage the risks associated with their cloud providers, 30% ensure their cloud provider has an incident response strategy and 34% ensure their cloud providers have a business continuity plan.
Lastly, the trend shows that incident management processes do not include SIEMs, or prevent recurrence. For today’s organisations data breaches are a matter of when, not if, so they must take adequate steps to prepare. Strong incident detection and response capabilities are central to that, enabling cyber-attacks to be contained at an early stage before lasting damage is caused. Encouragingly, 75% of rated companies have defined an incident management process, however just 32% have deployed a Security Information and Event Management (SIEM) solution and only 32% have a ‘lessons learned’ process to identify the root-cause of incidents and reduce the probability of recurrence.
“When it comes to third-party suppliers, businesses cannot rely on the self-assessment of those vendors – as a breach resulting from a simple misrepresentation could lead to significant financial and reputational damage,” continued Lapédagne. “While some of our research findings are encouraging, there are still concerning gaps to remind us that security assessments must always be based on evidence and fact, rather than subjective declarations from your suppliers. Our analyst-validated audits map to all major international compliance standards, improving trust across organisations and their suppliers.”