Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Cyberattacks through an organization’s vendors or suppliers are greatly underreported. According to new research from Ponemon Institute and Mastercard’s RiskRecononly 34% of organizations are confident their suppliers would notify them of a breach of their sensitive information.

Organizations are dependent upon their third-party vendors to provide such important services as payroll, software development or data processing. However, without having strong security controls in place, vendors, suppliers, contractors or business partners can put organizations at risk for a third-party data breach.

Unfortunately, new research by Ponemon Institute and Mastercard’s RiskRecon provides evidence that third-party data breaches may be underreported, as only 34% of organizations are confident their vendors would notify them of a data breach involving their sensitive information.

Image source: RiskRecon

This helps explain why weak third-party security controls continue to be a chink in the armor for enterprises, as 59% of respondents confirm that their organizations have experienced a data breach caused by one of their third parties, with 54% occurring in the past 12 months.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

The issue extends downstream as well, as 38% of organizations say the breach was caused by one of their “Nth parties,” indicating the flaws in third parties’ security controls that are in place for their vendors and partners. As a result, only 21% of organizations are confident that their Nth party would notify them of a breach.

There are several key best practices organizations should follow to mitigate third-party cyber-risk, yet the research shows more work needs to be done. These include creating and maintaining an inventory of all third parties and frequently evaluating their security and privacy controls. Unfortunately, the research found that only 36% of organizations do so when entering a relationship, while only 43% regularly review those controls.

The primary reasons organizations are not following such best practices are lack of accountability and involvement by boards of directors. Surprisingly, only 18% of organizations report that the CISO is accountable, while 35% report that third-party cyber-risk is not a board-level priority.

The RiskRecon 2022 Data Risk in the Third-Party Ecosystem study is based on a survey of 1,162 IT and IT security professionals in North America and Western Europe conducted by the Ponemon Institute from May 2 – June 30, 2022.

Read the full report from RiskRecon and Ponemon Institute.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.