Security News > 2020 > November > Study finds 31% of third-party vendors could cause significant damage to organizations if breached
The "State of Third Party Risk Management" report surveyed 154 third-party risk management professionals and found that they assess a median of 50 vendors each year, with most enterprises reporting having a TPRM program for about five to six years.
"In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide," said Kelly White, CEO and co-founder of RiskRecon.
Respondents were split almost evenly, with one third assessing fewer than 25 vendors annually, another third handling between 25 and 100, while the last third dealt with more than 100 vendors.
While the average respondent said about 30% of their vendors would pose a risk to their own operation if they were breached, another fourth said half of the third-party vendors could have severe impact on their enterprise if an attack was successful.
About 30% of respondents said their enterprise did not have any full-time employees working on dealing with third party risk, with just 1 in 10 respondents having 15 or more employees working on TPRM. The lack of staff was a problem 57% of respondents cited as a reason they were limited in their ability to keep up with the responsibilities of managing risk across their third-party portfolio.