Recent years have seen incredible growth in the reliance of businesses on third parties; these might be the third-party vendors that the business needs for its supply chain, or it might well be a third party’s solution that the business depends on.
Whatever the business case may be, it is clear that modern day businesses cannot function efficiently without collaboration with third parties. For that effective collaboration, third parties are granted access to the company’s network, connecting them directly to the business.
Evidently, with the growing dependence on third parties, attacks via third parties are increasing as well. Ponemon institute's 2018 Third Party Data Risk study shows that 59% of companies reported to have experienced a data breach through their vendors; this is an increase of 3% from the 2017 study and a 10% increase from that of 2016. While attacks via third parties are on the rise, businesses should consider taking significant measures to mitigate that risk. It is no longer sufficient just to mitigate the risk in your own managed systems, but businesses also need to focus on how secure their vendors' systems and processes are and the level of access they have. Because you are only as good as your weakest link, it could only take one breach in your vendor's systems for the attacker to access your own network, compromising your most valuable assets and potentially significantly affecting the company's reputation.
But the risk of third parties does not conclude in just security, as the GDPR has shown; privacy is a significant topic as well when it comes to the third-party risk management. Access of third parties to a company's data might compromise confidentiality and integrity, and every company should address those issues. Apart from GDPR, new regulations are constantly introduced to reduce privacy-related risks, and when it comes to third-party risk management, companies must take these into account and comply with these new regulations as well.
As mentioned before, the growing reliance of businesses on third parties has increased the cyber risk for businesses. But with the growing risk, there is also an encouraging rise in the awareness of high-level executives for that risk. Recent researches have shown that a growing number of business executives realise that the risks from third parties will materialise and may affect their business in the near future, and that their companies are not managing that risk in an effective way. In fact, the Ponemon institute's 2018 Third Party Data Risk study shows that only 16% of companies claim they effectively mitigate third-party risk.
Third parties are essential to the business these days, and no company can function efficiently without that type of collaboration. However, since this collaboration also means third parties can access the company's network, we have to prevent the misuse of that connection. In an environment that is constantly developing, new technologies are introduced and with that, also new risks. Investing in the management of third-party risk will ensure that the risk associated with vendors is reduced, allowing the business to keep functioning efficiently in a more secure environment.
Want to know more about KPMG’s approach and how you can manage your journey towards effective third-party risk management?
For more information, please contact Bert Koelewijn, senior manager Cyber Security.
© 2020 KPMG N.V., registered with the trade register in the Netherlands under number 34153857, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ('KPMG International'), a Swiss entity. All rights reserved. KPMG International Cooperative ('KPMG International') is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.