Report: Expectations vs. Reality in Third Party Risk Assessments

Report: Expectations vs. Reality in Third Party Risk Assessments

Share post

Data protection, access management, cloud security, incident detection and handling and business continuity: CyberVadis study reveals potential gaps that lead to an increased third party risk.

CyberVadis, a leading company for third party cybersecurity risk assessments, has published a new study to analyze the cybersecurity measures declared by companies compared to the evidence-based assessments from CyberVadis. The report focuses on five key areas of cybersecurity - data protection, access management, cloud security, incident detection and handling, and business continuity - to uncover potential loopholes that could lead to increased third party risk through uncertified assessments.

Third party cybersecurity risk assessment

CyberVadis combines the speed of automation with the accuracy of a team of experts and involves vendors directly in cybersecurity assessments. CyberVadis validates the results with a team of security analysts and creates cybersecurity assessments that can be shared with other companies, along with a detailed improvement plan to strengthen your IT security.

As more and more companies use third-party services, the risk of sensitive data increases. However, many do not properly understand the security situation of their supply chains or do not monitor them adequately. The main reasons for this shortage are reduced resources or a lack of time. For this report, CyberVadis collected self-declared cybersecurity controls from more than 1.200 organizations and compared the results with its own assessments based on a thorough, certified demonstration of these measures.

The main findings of the report include

Data protection due diligence doesn't always extend to procurement

While most organizations are aware of GDPR requirements, too many focus on internal data processing policies and overlook the threat posed by third parties. CyberVadis analysts found that less than one in three companies (29%) assessed the risks associated with possible non-compliance with data protection regulations. While 49% of companies train their employees in appropriate data protection practices, only 22% ensure that their procurement process includes dedicated controls for compliance and data protection.

Organizations allow remote access, but not always securely

As the COVID-19 pandemic accelerated the move to remote operations, two-thirds (62%) of companies said they allow remote access to their systems. CyberVadis found that only 44% of them provided a secure remote access solution. Somewhat more worrying is that only 37% have implemented advanced authentication methods for accounts with high privileges and only 25% of the companies evaluated have defined third-party access management.

There is room for improvement in the procurement and management of cloud providers

As another demonstration of rapid migration to the cloud, 81% of companies said they are currently using cloud models. However, there is a serious risk of malicious security breaches from misconfigured clouds, and the report found that this is the area where most improvement is needed. CyberVadis assessments showed that only 26% of organizations manage the risks associated with their cloud providers, 30% ensure that their cloud providers have an incident response strategy, and 34% ensure that their cloud providers have a Business continuity plan in place.

Incident management processes do not include SIEMs or prevent recurrence

For today's businesses, data breaches are a “when?” Rather than “if?” Question, so they need to take appropriate preparation. Of central importance here are strong capabilities for detecting and responding to incidents, which make it possible to contain cyber attacks at an early stage before permanent damage occurs. Fortunately, 75% of the companies evaluated have defined an incident management process, but only 32% have implemented a Security Information and Event Management (SIEM) solution and only 32% have a "Lessons Learned" process to identify the cause of incidents identify and reduce the likelihood of recurrence.

Crisis management is missing across the board, but organizations are committed to it

2020 has shown how important it is to prevent unplanned events and take the necessary measures to deal with a critical situation. Nevertheless, the report shows various shortcomings in crisis management in the organizations assessed. In their first self-assessment, 95% of company managers name this as a potential for improvement. CyberVadis reviews confirm this as only 44% of the companies evaluated have defined a business continuity plan and 22% test their plan on a regular basis. The CyberVadis analysts also found that only 24% of the companies assessed have defined crisis management and only 4% carry out regular crisis exercises. This is worrying because a good crisis management plan requires the dedicated team to be well trained and prepared to respond promptly in the event of a major event.

Methodology of the report

CyberVadis collected data on the cybersecurity controls declared by 1.289 organizations in the USA, EMEA and APAC and assessed them with standardized, analyst-validated audits via the CyberVadis platform. The full report can be read online and also downloaded.

More at CyberVadis.com

 


About CyberVadis

CyberVadis offers companies a cost-effective and scalable solution for third-party cybersecurity risk assessments. For a fixed annual fee, we carry out an unlimited number of evidence-based assessments via the CyberVadis platform. Our intuitive and user-friendly platform is based on a methodology that conforms to all major international compliance standards, including NIST, ISO 27001, GDPR and many other data protection and security laws. The CyberVadis solution combines the speed of automation with the accuracy and effectiveness of our team of experts.


 

Matching articles on the topic

Wireless security for OT and IoT environments

Wireless devices are becoming more and more common. This increases the number of access points through which attackers can penetrate networks. A new ➡ Read more

Companies spend 10 billion euros on cybersecurity

Germany is arming itself against cyber attacks and is investing more than ever in IT and cyber security. In the current year the ➡ Read more

Professional cybersecurity for SMEs

Managed detection and response (MDR) for SMEs 24/7, 365 days a year. The IT security manufacturer ESET has expanded its offering ➡ Read more

Prevent malicious software from starting

A cyber protection provider has added a new feature to its security platform. It improves cybersecurity by preventing the launch of malicious or ➡ Read more

Pikabot: camouflage and deceive

Pikabot is a sophisticated and modular backdoor Trojan that first appeared in early 2023. His most notable quality lies in ability ➡ Read more

Ransomware-resistant WORM archives for data backup 

A data archive is a must for every company. Few people know: An active WORM archive can help to streamline data backup, ➡ Read more

Danger of election manipulation through cyber attacks

Cyberattackers are attempting to influence elections around the world using generative AI technology. The latest findings from the Global Threat Report ➡ Read more

Detect and defend against threats

In today's digitalized business landscape, combating threats requires a continuous, proactive and holistic approach. Open Extended ➡ Read more