New CyberVadis report pits expectation against reality in third party risk assessments
September 2021 by CyberVadis
CyberVadis has released a new research report to analyse the cybersecurity measures declared by organisations against the evidence-based assessments that CyberVadis conducts. The report focuses on five key areas of cybersecurity – data privacy, access management, cloud security, incident detection and response (IDR) and business continuity – to uncover potential reporting gaps that could lead to increased third party risk through uncertified assessments.
CyberVadis combines the speed of automation with the accuracy of a team of experts and engages vendors directly with cybersecurity assessments, validating results with a team of security analysts, and issuing cybersecurity ratings that organisations can share with others, along with a detailed improvement plan for increasing their score.
As more organisations use third party services, the risk to sensitive data increases. However, many fail to understand or properly monitor the security posture of their supply chains, which are often lacking due to reduced resources or time. For this report, CyberVadis collected the self-assessed declarations of cybersecurity controls of more than 1,200 organisations and analysed the results against its own assessment, which is based on a thorough, certified demonstration of these measures.
“As we look to post-pandemic strategies, many companies are still grappling with risk management, and complexity increases for larger organisations – many of which have been running to stand still as digitalisation projects accelerated during the last twelve months,” said Thibault Lapédagne Head of Cybersecurity Research at CyberVadis. “This report shines a light on inherent risks to businesses, especially those associated with partners and suppliers that have incorrectly analysed their own security profile and subsequently pose third party cybercrime risks.”
Key findings of the report include:
Data privacy due diligence doesn’t always extend to procurement
While most organisations are aware of GDPR requirements, too many focus on internal data processing policies and overlook the threat posed by third parties. CyberVadis analysts found less than one in three organisations (29%) have evaluated the risks associated with potential non-compliance with data privacy regulations. While 49% of organisations do train their employees on appropriate data protection practices, just 22% make sure that their procurement process includes dedicated controls for compliance and data privacy.
Organisations are enabling remote access, but not always securely
As the COVID-19 pandemic accelerated the move to remote operations, two thirds (62%) of organisations reported that they allow remote access to their systems. CyberVadis found that of these, just 44% have deployed a secure remote access solution. Slightly more concerning is that 37% have implemented advanced authentication methods for high-privilege accounts and only 25% of rated organisations have defined a third-party access management .
Improvement is needed in the procurement and management of cloud providers
In further demonstration of a rapid migration to the cloud, 81% of organisations declared using cloud models at present, however there is a serious risk of malicious breaches caused by misconfigured clouds and the report found this to be an area requiring the most improvement. CyberVadis assessments showed that only 26% of organisations manage the risks associated with their cloud providers, 30% ensure their cloud provider has an incident response strategy and 34% ensure their cloud providers have a business continuity plan.
Incident management processes do not include SIEMs, or prevent recurrence
For today’s organisations data breaches are a matter of when, not if, so they must take adequate steps to prepare. Strong incident detection and response capabilities are central to that, enabling cyber-attacks to be contained at an early stage before lasting damage is caused. Encouragingly, 75% of rated companies have defined an incident management process, however just 32% have deployed a Security Information and Event Management (SIEM) solution and only 32% have a ‘lessons learned’ process to identify the root-cause of incidents and reduce the probability of recurrence.
Crisis management is lacking across the board, but organisations own up to this
2020 highlighted the importance of anticipating unplanned events and implementing the necessary measures to manage a critical situation. Despite this, the report shows various crisis management shortcomings among the rated organisations. In their initial self-reporting, 95% of business leaders cite this as an area for improvement. CyberVadis assessments verify this, as just 44% of rated organisations have defined a business continuity plan, and 22% test their plan regularly. CyberVadis analysts also found that only 24% of rated organisations have defined crisis management and a mere 4% conduct periodic crisis exercises. This is worrying, as a good crisis management plan involves the dedicated team being well trained and prepared to react promptly if a major event occurs.
“When it comes to third-party suppliers, businesses cannot rely on the self-assessment of those vendors – as a breach resulting from a simple misrepresentation could lead to significant financial and reputational damage,” continued Lapédagne. “While some of our research findings are encouraging, there are still concerning gaps to remind us that security assessments must always be based on evidence and fact, rather than subjective declarations from your suppliers. Our analyst-validated audits map to all major international compliance standards, improving trust across organisations and their suppliers.”
CyberVadis collected data on the cybersecurity controls declared by 1,289 organisations in the US, EMEA and APAC and assessed these with standardised, analyst-validated audits via the CyberVadis platform.
The full report can be downloaded here: https://cybervadis.com/supply-chain...