Third-party risk is everywhere and the cybersecurity posture of those third parties is more important now than ever before. With organizations using 130 SaaS solutions on average, onboarding the “wrong” vendor — one that doesn’t share the same cyber practices or hygiene as you do, or that sharing sensitive data with would be cause for concern — could land an organization in hot water.
These risks can potentially spiral into data breaches and subsequent reputational damage, even financial loss. That’s why it’s critical to fully understand where third-party cyber risk lies so it can be properly managed.
A recent study by Bitsight in collaboration with Google reveals that many organizations are failing security controls with significant correlations to bad outcomes. The global analysis — studying nearly 100,000 organizations across nine industries — pinpoints where security failures are most prevalent across 16 security controls in the Minimum Viable Secure Product (MVSP) framework.
MVSP is a minimalist security checklist backed by Google, Okta, Salesforce, and other tech titans designed to be simple to implement and provide a good foundation for building secure and resilient systems and services. This blog will break down the latest third-party cyber risks and provide a blueprint to manage these risks.
Security Failures Threaten Third-Party Relationships
When organizations across industries uniformly fail certain cybersecurity controls, the world listens. That’s because one organization’s security failure could quickly become another’s problem. Here are two findings from the study that stood out as red flags for third-party risk:
Vulnerability Management Failures
Organizations across nearly every industry are struggling with controls critical to the health of an organization’s vulnerability management program. In fact, eight MVSP controls have either high 2023 Fail rates, low Pass rates, or both, across all industries. Many, if not all of them, are important for vulnerability management. Some of these controls map to Bitsight’s Patching Cadence risk vector — a measure of an organization’s vulnerability management program — which has been independently validated by the Marsh McLennan Cyber Risk Analytics Center to be significantly correlated with bad outcomes.
This is really important for third-party risk management. Attackers are increasingly targeting less secure partners and vendors to ultimately gain access to the real target’s internal systems and data. This happened recently — after the announcement of vulnerabilities in MOVEit Transfer, unsuspecting third-parties of victims found themselves affected.
The fact that so many organizations continue to fail controls important for sound vulnerability management is cause for concern.
Software Industry Lagging Behind Macro Improvements
Many organizations trust software companies to employ security protocols that safeguard their sensitive information. But our study found that the computer software industry is lagging behind macro improvements across controls important for robust vulnerability management, such that the computer software industry lagged behind macro improvements in all but one control — 2.3 Security Headers.
Organizations should remain cautious when sharing sensitive data with third-parties, including software vendors.
Managing Third-Party Risk in 2024
These gaps serve as a wake-up call for organizations that rely on third-parties, especially if they heavily rely on software vendors. The study’s findings suggest that organizations should leverage more than just one or two metrics to get a holistic view of third-party risk. Here are some strategic actions to manage third-party risk in 2024:
Vendor Risk Management (VRM) with Continuous Monitoring
With these security gaps in mind, onboarding vendors — especially at scale — is a critical component of third-party risk management. Organizations should automate vendor onboarding and ensure third-parties are within their risk tolerance.
Obtain a Full & Continuous View of Vendor Risk
A strong VRM program doesn’t end when a vendor signs a contract. Managing third-party cyber risk requires persistent vendor monitoring and awareness. Using tools like security ratings, or a vendor risk management tool, can update your team as to how that third party’s security program is performing. Vendor risk is not static — it changes over time — so organizations need continuous risk monitoring that is an objective view of risk levels across their entire vendor portfolios.
Detection and Response
Handle unforeseen major security events across third and fourth parties by:
- Mitigating emerging zero day vulnerabilities at scale
- Improving efficiency and scalability of vendor outreach
- Focusing on what matters most with real-time reporting
When a major security event hits the news, organizations need a rapid way to detect and respond to exposure in their third-party ecosystem. Remember, attackers are increasingly targeting an organization by first compromising its third-party digital ecosystem. Without an automated and rapid way to respond to exposure, organizations could potentially remain exposed for extended periods of time, increasing the likelihood of a third-party-induced attack.
And the state of vulnerability remediation isn’t exactly perfect — a 2023 study found that only 5 percent of organizations remediate the typical software vulnerability within the first month. The point? Organizations must take action into their own hands to ensure their nth-party digital ecosystem is secure.
For Bitsight Customers
The MVSP standard is supported by Bitsight’s third-party risk management (TPRM) and vendor risk management (VRM) solutions. For MVSP users, Bitsight data helps automate the questionnaire process. Bitsight customers can use Bitsight VRM to ensure their vendors are aligned with the framework, among other frameworks, and easily measure level of compliance.
MVSP controls important for vulnerability management were mapped to Bitsight’s Patching Cadence risk vector. Bitsight customers can explore their own performance over time across this critical cybersecurity analytic and the performance of their peers.
Take Action
Third-party risk is everywhere and it's changing every day. Bitsight’s new study in collaboration with Google should serve as a wake-up call to organizations worldwide that third-party cyber risk is alive and well, and needs immediate attention. Get up to speed with the latest security control gaps and improvements by reading our infographic or diving deeper into the white paper.
Adopt the latest tools to help you expertly navigate this complicated risk landscape. Reach out to Bitsight to see how we can help.