Third-party attacks on the rise – but CISOs aren’t acting on the threat

While CISOs are concerned by the increasing threat of third-party cyberattacks, few have implemented security measures to protect their organisations against attack.

New research from Panorays shows 94 percent of CISOs are concerned with third-party cybersecurity threats – including 17 percent who view it as a top priority. However, only three percent have already implemented a third-party cyber risk management solution at their organizations and 33 percent plan to implement one this year.

In 2024, 65 percent of CISOs expect the third-party cyber risk management budget to increase. Of those respondents, 40 percent said it would increase from 1-10 percent this year. 

“CISOs understand the threat of third-party cybersecurity vulnerabilities, but a gap exists between this awareness and implementing proactive measures,” said Matan Or-El, Founder and CEO at Panorays. “Empowering CISOs to swiftly fortify defences by analysing and addressing gaps is crucial in navigating the current cyber landscape. After all, with the speed of AI development, bad actors will continue to leverage this technology for data breaches, operational disruptions, and more. ”

Third-party security management

The government’s Cyber Security Breaches Survey shows that larger organisations have become a key target over the last year.

CISOs at very large enterprises (73 percent) are more concerned about third-party cybersecurity threats compared to mid-size enterprises (47 percent). Only seven percent of CISOs said they were not concerned at all. Of the respondents, 34 percent are currently implementing a third-party cyber risk management solution and 26 percent plan to implement a new solution in 2025 or later. Four percent of CISOs said it was not a priority and three percent had never even heard of a third-party cyber risk management solution. While CISOs see the value of implementation, widespread adoption of third-party security solutions is low.

In their organisations, 54 percent of the team that managed third-party risk included IT, risk, operations or privacy teams. Thirty-six percent said their security was managed by back office teams (legal, finance and procurement) and 10 percent outsourced to external service providers. Of the respondents, 79 percent of the teams were six to 20 people and five percent had more than 20 responsible for third-party cyber risk management in their organisation.

Prioritising third-party security management

The top challenge CISOs see in 2024 when it comes to third-party risk management is complying with new regulations for third-party risk management (20 percent). Other challenges included:

• Communicating the business influence of third-party risk management: 19 percent
• Not enough resources to manage risk in the growing supply chain: 18 percent
• AI-based third parties breaches increasing: 17 percent
• No visibility to Shadow IT usage in their company: 16 percent
• Prioritising the risk assessment efforts based on risk critically: 10 percent

CISOs remain confident that AI solutions can improve third-party security management. Of the respondents, 80 percent said AI-driven solutions can prevent a significant amount of breaches. When it comes to reducing third-party threats, CISOs use a combination of tools to gain effectiveness. Out of different security options, CISOs rated cyber questionnaires for third parties (73 percent) and compliance management tools (70 percent) and API monitoring of third parties in the supply chain (68 percent) as the most effective tools.

Think Digital Partners is pleased to announce a new event for 2024. Think Digital Identity and Cybersecurity for Government takes place in London on May 8. Find out more and get your ticket here.