Third-Party Partners Put Organizations at High Risk for Cyberattacks


Canadian organizations are working with a number of third-party partners and suppliers to provide a wide range of services, from IT outsourcing to managing and administering entire business processes. While these partners provide vital services, many organizations often overlook third-party partners in their cybersecurity planning. On average, small organizations work with 13 third-party suppliers or partners, while enterprise organizations work with 82 third-party suppliers or partners. Though working with third parties is often a necessary practice, these relationships are putting organizations of all sizes at risk of serious data breaches.  

According to our 2020 Security Study, more than four in five organizations (82%) reported a security incident due to the poor security hygiene of a third-party partner. In addition, less than 40 percent of organizations consider including relationships with third-party partners in their security planning. Enterprise organizations, who work with the largest number of third-party partners, were the worst offenders. Only 28 percent of the enterprise organizations have a cybersecurity plan that comprehensively includes all third-party partners and, even more concerning, seven percent of all organizations surveyed admit third-party partners were not considered in their cybersecurity planning at all. Nearly all organizations surveyed allow third-party partners to handle or access customer data and proprietary business information. Without basic visibility into the security of third-party partners, organizations are extremely vulnerable to serious and costly cyberattacks.

Proper review of third-party security can be incredibly challenging when working with many partners. To protect proprietary data while maintaining relationships with third party partners, organizations need to understand what data and systems third parties are accessing and implement policies and controls to limit access. Third parties should only be given access to data and information that is relevant to their tasks. To limit partner access, it’s important to gain a holistic view of a third party’s IT environments and security maturity. It may not be possible to perform proper threat risk assessments on all the partners an organization deals with, but something as simple as a periodic questionnaire can help understand whether basic controls and policies are in place in partners’ environments.

Organizations can also consider implementing an identity access management process to ensure that vendors who require access to system and data can be authenticated and identified. This offers better visibility into the network of partners and gives the organization the power to revoke partner access to data when it is no longer required. Scheduling annual check-ins with suppliers and partners to ensure their security policies are up to date can also help assess a partner’s security measures. If a third-party does not prioritize the data security, it may be time to consider other options or suppliers.

To learn more about what organizations can do to protect themselves against cyberattacks, check out our full 2020 Security Study here.