Choosing a partner business with a poor security posture makes an organization 360-times more likely to be at risk compared to choosing a top security performer, according to a new study.
The risk surface research from Cyentia Institute and RiskRecon shows that single demographic factors, such as industry, size and region, aren’t enough to assess the risk posed by third parties.
A company’s ‘risk surface’ refers to anywhere an organization’s ability to operate, reputation, assets, legal obligations, or regulatory compliance is exposed to risk. The aspects of a firm’s risk exposure that are associated with or are observable from the internet are its internet risk surface. Given that a huge portion of a modern organization’s value-generating activities rely on internet enabled processes and third-party relationships, the risk surface can be much more extensive than you might expect.
Interestingly choosing to be ‘cloud-first’ with a single provider gives an organization, on average, a nearly 85 percent greater chance of being a top security performer.
Having a bigger technology footprint doesn’t necessarily mean that it’s a more problematic one, it’s more about how effectively tools are used. The report also looks at the most problematic technologies across organizations, for example issues around Apache are 60.5 times more frequent in bottom performers than they are in top performers.
The report’s authors conclude, “Whether you are starting to utilize inherent risk rankings or trying to enhance what you currently use for initial vendor prioritization, examining an organization’s technical footprint is a component that can greatly impact how you rank your vendors. Take the time to go through the technologies that are being used in addition to taking a look at their technological footprint. How many technologies is this organization not only using but is also responsible for upkeep and monitoring? Are they using a cloud as a host provider? How many severe findings can be found in those specific technologies?”
You can find out more on the RiskRecon blog. The company is also oﬀering complimentary enterprise access to assess and monitor the cybersecurity of your supply chain for 30 days.
Image credit: ASDF_MEDIA / Shutterstock