Report: 54% of organizations were breached through a third party in the last 12 months

Couldn’t attend Transform 2022? View all summit sessions in our on-demand library now! Watch here.

Cyber ​​attacks through an organization’s vendors or suppliers are largely underreported. According to new research from the Ponemon Institute and Mastercard’s RiskRecon, Only 34% of organizations are confident that their suppliers would notify them for a breach of their sensitive information.

Organizations depend on their third-party vendors to provide important services such as payroll, software development or data processing. However, without strong security controls in place, vendors, suppliers, contractors or business partners can put organizations at risk for a third-party data breach.

Unfortunately, new research from the Ponemon Institute and Mastercard’s RiskRecon provides evidence that third-party data breaches may be under-reported, with only 34% of organizations confident that their suppliers would notify them of a data breach involving their sensitive information.

Image source: RiskRecon

This explains why weak third-party security controls are still a chink in the armor for businesses, with 59% of respondents confirming that their organizations have suffered a data breach caused by a third party, with 54% having in the past 12 months.


MetaBeat 2022

MetaBeat will bring together thought leaders to provide guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, California.

Register here

The issue extends downstream as well, with 38% of organizations saying the breach was caused by one of their “N-parties,” pointing to the flaws in third-party security controls in place for their vendors and partners. As a result, only 21% of organizations are confident that their No party would notify them of a breach.

There are several key best practices that organizations should follow to mitigate third-party cyber risk, but research shows that more work needs to be done. These include creating and maintaining a list of all third parties and frequently evaluating their security and privacy controls. Unfortunately, the survey found that only 36% of organizations do so when entering into a relationship, while only 43% regularly review these controls.

The main reasons why organizations do not follow such best practices is a lack of accountability and buy-in from boards of directors. Surprisingly, only 18% of organizations report that the CISO is accountable, while 35% report that third-party cyber risk is not a board-level priority.

The RiskRecon 2022 Data Risk in the Third-Party Ecosystem study is based on a survey of 1,162 IT and IT security professionals in North America and Western Europe conducted by the Ponemon Institute from May 2 to June 30, 2022.

Read the full report from RiskRecon and the Ponemon Institute.

VentureBeat’s mission is set to be a digital town square for technical decision makers to learn about and transact business-transformative technology. Discover our Updates.

Leave a Comment