New Survey Reveals Third Party Risk on the Rise While Risk Mitigation is Low on the Priority List
Report from the Ponemon Institute and Shared Assessments reveals disconnect between severity of third party risk and prioritization of risk mitigation
SANTA FE, N.M., May 2, 2016 /PRNewswire/ -- Given today's cyber security climate, it is no surprise that companies are wary of the risks associated with third party vendors. Unfortunately, these risks are only growing with the increase in disruptive technologies such as the Internet of Things and Cloud technologies. According to a survey released today conducted by the Ponemon Institute, an independent research firm focused on privacy, data protection and information security policy, and commissioned by the Shared Assessments Program, the industry-standard body on third party risk assurance, 70 percent of respondents believe that third party risk in their organization is increasing significantly. In fact, the new report, "Tone at the Top and Third Party Risk," shows that in the past 12 months, organizations spent an average of approximately $10 million to respond to security incidents as a result of negligent or malicious third parties.
The Ponemon Institute surveyed 617 executives who have a role in the risk management processes within their organizations to determine the following:
- The state of third party risk management.
- The importance of values and a positive tone to effective third party risk management.
- Third party risk assessment and management practices.
- The use of technologies and cyber insurance to manage third party risk.
"The threat landscape is constantly evolving, and as a result, third party risk is only going to increase," said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. "It has become imperative for organizations to create formal programs for vendor risk management in order to avoid being compromised, and more importantly, business leaders need to set a strong example."
In the context of this study, "tone at the top" describes an organization's control environment, as established by its C-Suite and Board. The tone at the top is set by management and affects all employees of the organization. According to the study findings, neither the C-Suite nor the Board are overly involved in third party risk management and, for most companies, there is no clear accountability at all when it comes to handling risk. Respondents overwhelmingly agreed that the best way to mitigate third party risk is for organizations to adopt a positive "tone at the top."
"If management exemplifies honesty, integrity and ethics, it is much more likely that employees will work to uphold those same values. As a result, there will be a decrease in risks caused by insider negligence and third party relationships," said Charlie Miller, Senior Vice President with the Shared Assessments Program. "This study clearly demonstrates that not only is there a major risk issue stemming from vendor and partner relationships, but the highest level of organizations, the Board and C-Suite, need to better communicate their values across the enterprise, setting a positive tone and creating formal programs to mitigate this risk, ultimately helping companies to improve their risk management practices."
The following are some of the other key findings that indicate the primary risks associated with third party vendors:
- Cloud computing, mobility and mobile devices, and big data analytics will have a significant impact, according to 71 percent, 67 percent and 51 percent of respondents, respectively.
- 50 percent of respondents do not believe the risk management process is aligned with business goals.
- Only 8 percent of respondents say improvement of their organization's relationship with business partners is a top risk management objective.
- 11 percent of respondents say their organizations are very effective at communicating values throughout the enterprise or to business partners, vendors and other third parties.
- 71 percent of respondents say when tone at the top is part of an organization's risk management strategy, the risk of working with third parties that are not trustworthy is reduced.
- 81 percent of respondents in financial services say that a strong tone at the top is essential to mitigating business risk.
- Only 7 percent of respondents in financial services say that improving the organization's relationship with business partners is a top risk management priority.
For more information on the report, visit: http://sharedassessments.org/ponemon-study/.
About the Shared Assessments Program
The Shared Assessments Program is the trusted source in third party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle that are: creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of the Shared Assessments Program Tools: Agreed Upon Procedures (AUP); Standardized Information Gathering (SIG) questionnaire and Vendor Risk Management Maturity Model (VRMMM), offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business resiliency. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic advisory company based in Santa Fe, New Mexico. For more information on Shared Assessments, please visit www.sharedassessments.org.
About Ponemon Institute
Ponemon Institute conducts independent research and education that advances information security, data protection, privacy and responsible information management practices within businesses and governments throughout the world. Our mission is to conduct high quality, empirical studies on critical issues that affect the protection of information assets and IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. www.ponemon.org.
SOURCE Shared Assessments Program
Related Links
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?
Newsrooms &
Influencers
Digital Media
Outlets
Journalists
Opted In
Share this article