Third-party risk management programs are needed to protect against breaches

A report from Mastercard’s RiskRecon and the Cyentia Institute revealed that it was increasingly important for enterprises to have third-party risk management programs in order to avoid security breaches. Indeed, it was reported that 60% of third-party risk management professionals stated that managing such a risk was now a priority for businesses.


Since the start of the pandemic, many organizations have increased the scale and complexity of their risk surface as the importance of risk in the hands of third parties require much more performance visibility than questionnaire-based assessments provide.  Besides, third-party risk teams are in the process of adapting the risk management strategies deployed in order to protect their internal business with quick acquisition and analytics of objective data revealing the reality of the quality of each vendor’s risk management program.


Although it was reported that around 30% of vendors would pose a risk to their own operation in case of a security breach, another fourth stated that half of the third-party vendors could have an important impact on their business if an attack was successful. Less than 10% answered that their companies have dealt with a breach due to third-party compromise in the past three years.


The study also revealed that there is an increase of attacks on third-party vendors and they are becoming disastrous as companies rely heavily on them for critical services. Indeed, organizations are at risk of compromising their sensitive data, their ability to operate and keep up with the demand for their services.


Therefore, 2/3rd of participants stated that third-party risk management programs were becoming essential for their companies and almost 80% said that their enterprise had implemented a formal program in order to address it. These programs are often organized and run by the information security department, or some of them, by vendor management or procurement, or even by the compliance or legal department.


Although the need for these programs is increasing, most companies don’t have full-time employees working on dealing with third party risk. This lack of staff remains an issue as employees are limited in their ability to keep up with the responsibilities of managing risk across their third-party portfolio.


Yet, 84% of participants revealed that they still used questionnaires as the main risk assessment method while others used documentation reviews.


Hence, there is a vital need to manage third-party security risk in a better way which could achieve better risk outcomes more efficiently.