Seventy-seven percent of IT decision makers believe their organization will experience a serious information breach within the next two years as a result of vendor activity on their networks, according to a study by cybersecurity vendor Bomgar.
The survey of 608 decision makers with visibility over the processes associated with enabling any external parties to connect to their systems remotely, “Vendor Vulnerability: How to Prevent the Security Risk of Third-Party Suppliers,” included executives in various industries, including healthcare.
“As an organization’s network of vendors and third-party suppliers grows, so does the risk of a potential breach,” the study said. “Vendors will increasingly engage third-party suppliers of their own to carry out work on your organization’s behalf. However, 72 percent of respondents see this ‘fourth-party risk’ as a major concern for the future. It is hard enough to manage network access for the vendors you know about, let alone the ones that you don’t. The growing complexity of vendor networks presents significant challenges in this regard.”
[Poll results: Where readers stand on AI, cloud and pop health]
IT managers, CIOs and CISOs know what is needed to reduce the risk, according to the Bomgar study. Fifty-five percent of respondents think their business will be better protected if they have a policy where vendor access is stratified according to perceived levels of risk and 78 percent believe third-party vendor breaches can only be effectively reduced through access control measures at a people, process and technology level.
What’s more, there is a general consensus that higher quality controls throughout the vendor lifecycle (57 percent), efficiency in the management and monitoring of vendors (52 percent), and effective monitoring of third-party vendor risks (52 percent) will be key considerations in safeguarding against vendor data breaches, the study found.
Many organizations may be placing too much trust in the vendors they work with. A startling 92 percent of respondents say they trust vendors completely or most of the time, the Bomgar study said. But there is a growing realization that, when granting a vendor access to a network, this decision needs to be based on more than just blind faith, the study found, and 67 percent of respondents believe that they tend to trust vendors too much.
“Organizations need robust controls and checks to mitigate the security risk of vendors,” the study said. “Do you know what technology and tools third parties are using to access your networks? Can you see when they’re accessing your systems and what they’re doing? Are your vendors sharing simple passwords among employees or employing security best practices, such as multifactor authentication and credential rotation? In the current climate, it is no longer enough to simply trust that a vendor has the security policies in place to defend against threats.”
Vendors and third-party suppliers clearly are vital to organizations. They are part of the ecosystem in which businesses must operate, and this ecosystem will only grow in scale and importance, the study noted.
Seventy-one percent of respondents are expecting their companies to become more reliant on third parties in the next two years, the study said. But as the complex network of suppliers and third-party vendors within an organization grows, so does the risk. Without proper policies for the control and management of vendor access to a network, the Bomgar study said, there is a security threat to not just the business but to its employees and customers.
Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com
