The three-year anniversary of the SolarWinds data breach has brought attention to the ongoing issue of third-party risk assessment in the cybersecurity industry. While the aftermath of the SolarWinds attack has highlighted the financial and legal implications of supply chain breaches, it’s clear that bad actors are still finding ways to exploit third-party software, putting organizations at risk.
The most recent Forrester Research security survey has revealed that supply chains are now the top cause of data breaches. For example, the MOVEit supply chain hack has impacted nearly 3,000 organizations, and this number continues to grow. As a result, it has become crucial for organizations to re-examine their current third-party risk assessment programs and adopt new best practices to mitigate these risks.
One of the key factors contributing to the surge in third-party risks is the rise of software-as-a-service (SaaS) subscriptions. According to Gartner, despite increased investments in third-party cybersecurity risk management, 45% of organizations have experienced third-party-related interruptions to their businesses. This is a result of the widespread use of over 370 SaaS applications by organizations, with an average of 87 SaaS applications being used per department. The sheer volume of applications being used has increased the attack vectors and made risk assessment more complex.
In the past, enterprise software procurement involved a lengthy process with thorough oversight, ensuring that organizations didn’t onboard too many third-party systems. However, with the proliferation of SaaS, the ease of adding new software subscriptions has led to a decentralization of decision-making power, resulting in an increased number of third-party vendors and making risk assessment more challenging.
The emergence of AI-powered productivity tools has further contributed to the SaaS sprawl and associated third-party risk. The demand for innovative and consumer-grade products among employees has led to an increase in vendor onboarding, counteracting the efforts of organizations to consolidate their vendor relationships.
To address these challenges and improve third-party risk assessment, organizations need to shift from periodic assessments to continuous monitoring using real-time data feeds. They should also tailor assessments based on the level of risk posed by vendors and implement standardized procedures to ensure consistency and efficiency. Additionally, organizations need to ensure compliance with international data privacy laws, evaluate preparedness to respond to security incidents, consider fourth-party risks, and assess the robustness of the third-party’s supply chain against disruptions.
As the number of third-party relationships continues to grow, it’s imperative to expand risk assessment programs to match business growth and utilize advanced technologies like AI and machine learning for automated data collection and analysis. By continuously evaluating and updating third-party risk assessment programs, organizations can significantly improve their security posture and mitigate the risks posed by third-party vendors. This proactive approach can help prevent future headline-making incidents and protect organizations from the growing threat of supply chain and third-party risks.