20% of an organisation’s third parties are high risk: report

Some 20 percent of an organisation’s third parties are high risk, according to a new report from global cyber risk exchange provider CyberGRX. The inaugural issue of CyberGRX Exchange Insights, compiled by the CyberGRX data and analytics team, reveals trends and challenges organisations of all sizes face in combating third-party cyber risk today.

It found that based on the third-party population ingested by enterprise customers, on average 20 percent of an enterprise’s third-party portfolio poses high inherent risk.

The report also found that third parties in certain industries are more likely to have mature cybersecurity programs, but still have significant gaps. Organisations in the financial, technology, telecom, and healthcare industries are often third parties themselves. These third parties tend to have strong controls in place to mitigate risks associated with incident containment, threat removal, and identity authorisation and authentication.

The report found that company size correlates with security maturity and coverage. Larger organisations do not necessarily equate to greater risk. In fact, as companies get smaller, data shows they have fewer controls in place and less mature programs.

Another key insight is that the most common third-party security gaps are desktop and laptop protection, server protection and virtualisation protection (on-premises or cloud-based). The report also found that organisations tend to focus on the same set of vendors, but it is often the vendors they aren’t looking at that pose the greatest risk.

Each insight was gleaned from proprietary assessment data gathered from a sample of 4,000 third parties on the CyberGRX Exchange. To date, over 90,000 third parties have been ingested in the Exchange.

“Organisations have a responsibility to manage third-party risk—yet struggle with solutions to adequately address it. For thousands of businesses, our standardised, data-forward approach fills this void,” said Fred Kneip, CEO, CyberGRX.

“Our ability to identify and produce these insights is a testament to why our data exchange approach to third-party cyber risk management (TPCRM) works—allowing customers to analyse and action on data so they can create an informed and cohesive risk management strategy—rather than stockpiling assessments that exist in a vacuum.

“We are proud to share a selection of insights drawn from our Exchange to support all organisations in identifying and prioritising cyber risks so they can take necessary steps to reduce it.”

Today, organisations of all sizes and spanning enterprise markets participate on the Exchange, supplying data to extract insights. One such participant utilising the Exchange for TPCRM is Dave Estlick, CISO at Chipotle.

“CyberGRX’s approach to TPCRM has changed the game for risk management,” says Estlick. “This shift from static spreadsheets to structured data and analytics enables rapid and informed decision-making—and these insights from the Exchange are an example of how this approach will truly inform not just CISO, but the market, on how to reduce third-party risk.”