Content, Channel partners, Content

Third-Party Risk Management: CRA Research Reveals Security Concerns

Man with binoculars looking forward through the fog, Koh Phangan, Thailand

Visibility across partner, customer and third-party ecosystems is "essential but painfully limited" for many security teams, according to a survey of more than 300 IT and cybersecurity decision-makers and influencers conducted by CRA Business Intelligence, the research and content division of cybersecurity information services company CyberRisk Alliance.

In some ways, the survey findings reinforce recent trends in the MSP and MSSP ecosystems -- where service providers have spent recent years striving to safeguard their software supply chains from ransomware and other types of malware attacks. The MSP and MSSP software supply chains are hot targets, since one MSP software supplier can provide hackers with a potential pathway to thousands of MSPs and tens of thousands of end-customers.

Third-Party Risk Management: Research Findings

In the broader security market, key findings from CRA's survey included:

  • 76 percent of respondents rated managing third-party risk as a high or critical priority in their organizations, and 74 percent said this priority has increased in importance since 2020.
  • 72 percent noted tracking supply chain components, sub-assemblies and final products is very or critically important.
  • 60 percent have experienced an IT security incident in the past two years due to a third-party partner with access privileges and most likely had sensitive data stolen or suffered some type of business outage.
  • 52 percent of respondents who experienced third-party-related attacks indicated they lost less than $100,000 in damages, and 45 percent incurred higher costs.

The survey also highlighted the biggest challenges in managing third-party risk, including:

  • Lack of qualified staff to implement a third-party management solution (30 percent)
  • Prioritizing, assessing and managing a large number of partners (26 percent)
  • Lack of resilience against attacks or malware from trusted third parties (23 percent)
  • Getting a full picture of the supply chain and associated risks (21 percent)
  • Lack of external intelligence (21 percent)
  • Lack of communications or coordination between IT security, governance, leadership and procurement teams (20 percent)

In addition, 54 percent of survey respondents said they rely on third-party partners' assessments to evaluate the risks associated with working with their vendors. Meanwhile, 43 percent indicated they hire an outside service to learn about the risks of partnering with a third-party vendor.

Tips to Manage Third-Party Risk

CRA offers the following tips to help organizations manage third-party risk:

  • Prioritize third-party risk management.
  • Understand and prepare for the risks of working with third-party vendors.
  • Use the NIST Cybersecurity Framework, ISO 27001 and other industry standard frameworks for third-party assessments.
  • Adopt multiple methods to vet vendors.
  • Conduct ongoing third-party risk assessments.
  • Maintain visibility across the supply chain.
  • Leverage third-party risk management technology.

Transparency and visibility are crucial in third-party vendor relationships, CRA pointed out. With communication and collaboration with third parties, organizations can work with them to guard against risk.

Disclosure: MSSP Alert is owned by CyberRisk Alliance.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.