New report explores risks associated with third party IT services
- Published: Wednesday, 29 September 2021 09:25
CyberVadis has released a new research report to analyse risks associated with third party IT services. It focuses on five key areas of cyber security: data privacy, access management, cloud security, incident detection and response (IDR) and business continuity.
Key findings of the report include:
Data privacy due diligence doesn’t always extend to procurement
While most organizations are aware of GDPR requirements, too many focus on internal data processing policies and overlook the threat posed by third parties. CyberVadis analysts found less than one in three organisations (29 percent) have evaluated the risks associated with potential non-compliance with data privacy regulations. While 49 percent of organizations do train their employees on appropriate data protection practices, just 22 percent make sure that their procurement process includes dedicated controls for compliance and data privacy.
Organizations are enabling remote access, but not always securely
As the COVID-19 pandemic accelerated the move to remote operations, two thirds (62 percent) of organizations reported that they allow remote access to their systems. CyberVadis found that of these, just 44 percent have deployed a secure remote access solution. Slightly more concerning is that 37 percent have implemented advanced authentication methods for high-privilege accounts and only 25 percent of rated organizations have defined a third-party access management.
Improvement is needed in the procurement and management of cloud providers
In further demonstration of a rapid migration to the cloud, 81 percent of organizations declared using cloud models at present, however there is a serious risk of malicious breaches caused by misconfigured clouds and the report found this to be an area requiring the most improvement. CyberVadis assessments showed that only 26 percent of organizations manage the risks associated with their cloud providers, 30 percent ensure their cloud provider has an incident response strategy and 3 percent ensure their cloud providers have a business continuity plan.
Incident management processes do not include SIEMs, or prevent recurrence
For today’s organizations data breaches are a matter of when, not if, so they must take adequate steps to prepare. Strong incident detection and response capabilities are central to that, enabling cyber attacks to be contained at an early stage before lasting damage is caused. Encouragingly, 75 percent of rated companies have defined an incident management process, however just 32 percent have deployed a Security Information and Event Management (SIEM) solution and only 32 percent have a ‘lessons learned’ process to identify the root-cause of incidents and reduce the probability of recurrence.
Crisis management is lacking across the board, but organizations own up to this
2020 highlighted the importance of anticipating unplanned events and implementing the necessary measures to manage a critical situation. Despite this, the report shows various crisis management shortcomings among the rated organizations. In their initial self-reporting, 95 percent of business leaders cite this as an area for improvement. CyberVadis assessments verify this, as just 44 percent of rated organisations have defined a business continuity plan, and 22% test their plan regularly. CyberVadis analysts also found that only 24% of rated organisations have defined crisis management and a mere 4 percent conduct periodic crisis exercises. This is worrying, as a good crisis management plan involves the dedicated team being well trained and prepared to react promptly if a major event occurs.