Nearly three-quarters (72%) of cybersecurity professionals are concerned about supply chain risks to their organization following high-profile incidents like the SolarWinds campaign, according to a new poll.
Run by the Infosecurity Europe trade show, which is owned by the same company as Infosecurity Magazine, the poll received over 2500 responses on Twitter last week.
Nearly two-fifths (38%) said they were “very” concerned about the potential risks from third parties, whilst 34% claimed they were “somewhat” concerned.
They’re right to be: 28% admitted to having no processes in place to control data flows to and from third parties and a fifth (20%) didn’t even know if such measures had been implemented.
Even though more than half (52%) of respondents claimed to have processes in place, only a third (35%) said they actually enforce policy in this area.
Separate research from earlier this month revealed that almost half (44%) of North American organizations have suffered a breach via a third party over the past 12 months.
Even more (51%) said their organization is not assessing the security and privacy practices of suppliers before allowing them to access sensitive data.
Maxine Holt, senior research director at Omdia, argued that discovery must be the first step in assessing supplier risk.
“Which organizations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf? Then prioritize accordingly,” she explained.
“Request compliance information, and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third-parties must be able to ensure that data transfers are consistent with what has been agreed.”
Experts have argued in the past that accurate risk assessments are often out of reach for organizations as there’s too much reliance on trust and manual, spreadsheet-based approaches to provide assurance.
Run by the Infosecurity Europe trade show, which is owned by the same company as Infosecurity Magazine, the poll received over 2500 responses on Twitter last week.
Nearly two-fifths (38%) said they were “very” concerned about the potential risks from third parties, whilst 34% claimed they were “somewhat” concerned.
They’re right to be: 28% admitted to having no processes in place to control data flows to and from third parties and a fifth (20%) didn’t even know if such measures had been implemented.
Even though more than half (52%) of respondents claimed to have processes in place, only a third (35%) said they actually enforce policy in this area.
Separate research from earlier this month revealed that almost half (44%) of North American organizations have suffered a breach via a third party over the past 12 months.
Even more (51%) said their organization is not assessing the security and privacy practices of suppliers before allowing them to access sensitive data.
Maxine Holt, senior research director at Omdia, argued that discovery must be the first step in assessing supplier risk.
“Which organizations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf? Then prioritize accordingly,” she explained.
“Request compliance information, and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third-parties must be able to ensure that data transfers are consistent with what has been agreed.”
Experts have argued in the past that accurate risk assessments are often out of reach for organizations as there’s too much reliance on trust and manual, spreadsheet-based approaches to provide assurance.