Cyber attacks and data loss key concerns for supply chain relationships

Third-party security is a top business concern for enterprises, but there is a steep disconnect in resources available to adequately and objectively manage this security, suggested a new study released on Tuesday.

Security ratings company BitSight Technologies released the commissioned study, Continuous Third-Party Security Monitoring Powers Business Objectives and Vendor Accountability. It was conducted by Forrester Consulting on behalf of BitSight Technologies. The study is based on surveys of IT security and risk management decision makers in the United States, United Kingdom, France and Germany.

Forrester found that when it comes to tracking third-party risk, critical data loss or exposure (63%) and the threat of cyber attacks (62%) ranked as the top concerns, above standard business issues, including whether the supplier could deliver the quality and timely service as contracted (55%). Despite the desire for more robust insight into third-party security practices, only 37% of survey respondents reported tracking any of these metrics on a monthly basis.

The research further reveals that a vast majority of IT decision makers believe that continuous third-party monitoring would have a major improvement on their security effectiveness in key areas, such as event identification time (76%), event remediation time (72%) and response times to high-profile events (71%).

Across the nine types of third-party information surveyed, an average of 59% indicated a desire to track and monitor. “Yet across those same nine information types, an average of only 22% were tracking with monthly or greater frequency,” according to Forrester Consulting. “Enterprises overwhelmingly anticipate major or moderate improvement to many metrics around third-party evaluation, such as the ability to compare security postures, screen vendors based on risk, and evaluate infrastructure configurations. Additionally, enterprises anticipate reductions in times required for security event identification and remediation times and responses to high-profile events.”

Stephen Boyer (right), CTO and co-founder of BitSight Technologies, noted in a statement that “the supply chain has become a cyber security minefield for companies, as we’ve seen with breaches caused by third-party vendors at Target, Neiman Marcus, Goodwill, Home Depot and many more. Continuous, data-driven monitoring of third-party security vulnerabilities and threats has become essential for effective vendor risk management.”

Other key findings include:

• Forrester estimates that enterprises allocated 21% of their overall IT budget to third parties;
• 63% of respondents believe continuous third-party monitoring would improve their ability to screen vendors based on risk;
• 79% of respondents reported that ensuring business partners and third parties comply with their security requirements is a top IT security priority over the next 12 months; and
• 82% of respondents said that ensuring regulatory compliance is a “critical” or “high” priority, but only 29% were fully compliant, on average, across eighteen regulations or best practice guidelines.