Opus & Ponemon Institute Announce Results of 2017 Third Party Data Risk Study: 56% of Companies Experienced Data Breach, Yet Only 17% are Prepared to Mitigate Risk

Effectiveness of managing third-party risks worsening – companies cite inability to track, evaluate third party security and privacy

Opus, the leading provider of global compliance and risk management solutions, today announced the results of the second annual Ponemon Institute Data Risk in the Third- Party Ecosystem study. Sponsored by Opus, the study uncovers the security risk companies face when sharing sensitive information with third parties.

Cyberattacks – like the recent Equifax data breach – are becoming more and more common. One of the leading risks companies face when defending against cyberattacks are those brought on by their third-party ecosystem. In fact, fifty-six percent of companies surveyed by Ponemon experienced a data breach caused by a third party, a seven percent increase from 2016. The survey also found that 42 percent of companies experienced cyberattacks against third parties that resulted in the misuse of their company’s sensitive or confidential information, an 8 percent increase from 2016. Three-quarters of organizations said they believed the total number of cyber security incidents involving third parties are “increasing.”

The survey found that the effectiveness in managing third party risks remained low.  Fewer than one in five companies – 17 percent – felt their organizations effectively managed third party risk.   And less than half of all respondents said that managing outsourced relationship risks is a priority in their organization.

One of the key deficiencies identified in the study was that companies lacked visibility into their third-party relationships. Although the number of third parties with access to confidential or sensitive information has increased by 25 percent, compared with 2016, more than half of the companies do not keep a comprehensive inventory of all third parties with whom they share sensitive information. And, only 18 percent of respondents know how Nth parties access and process data.

Dov Goldman, VP, Innovation & Alliances of Opus, said, “Cyber-criminals continue to target weak links because companies are failing to successful manage risk. Smart companies are learning from those that have implemented clearly defined third-party risk management programs supported by good governance and robust technology.”

The study identified a strong correlation between implementing certain governance and IT security practices and a reduction in third-party data breaches. These practices include:

Evaluating security and privacy practices of all third parties. Supplement contractual agreements with audits and assessments. Organizations that adopted these practices were 20 percent less likely to experience a breach.

Creating an inventory of all third parties with whom information is shared. Organizations should prioritize visibility into third party data – and learn whether they share this data with others. Organizations with a comprehensive inventory were 19 percent less likely to experience a breach.

Oversight by board of directors in third-party risk management programs.  This includes regular reports on the effectiveness of these programs based on the assessment, management and monitoring of third-party.  Organizations whose board of directors requires assurances that third-party risks are effectively being managed were 10 percent less likely to experience a breach.

Analyzing Third Party Risk

The second annual Data Risk in the Third-Party Ecosystem Study included 625 individuals across multiple industries familiar with their organization’s approach to managing data risks created through outsourcing. All organizations represented in this study have a vendor data risk management program. Companies were asked to consider only those outsourcing relationships that require the sharing of sensitive or confidential information or involve processes or activities that require providing access to sensitive or confidential information.

Dr. Larry Ponemon commented, “Data breaches and cyberattacks continue to plague organizations who are often unaware that the source of their information security risks can result from sensitive data obtained by a third or Nth party. It is critical for organizations to actively manage their third-party interactions by implementing standard processes, including inventory and policy review and documentation, senior leadership and board member oversight, as well as other safeguards to reduce their vulnerability.”

To download the 2017 Data Risk in the Third-Party Ecosystem: Second Annual Study, visit www.opus.com/ponemon.