Close Encounters of the Third- (and Fourth-) Party Kind: The Blog

With organizations becoming increasingly digitally connected, a lack of visibility into their vendors’ security diligence has made exploiting these relationships a go-to tactic for cybercriminals.

So, what can organizations do to minimize risk stemming from their business ecosystems?

New research from SecurityScorecard, the global leader in cybersecurity ratings, and the Cyentia Institute, an independent cybersecurity research firm, analyzed SecurityScorecard’s data from over 230,000 organizations to provide insights on this important topic.

One striking finding that emphasizes the importance of third-party risk management: 98% of organizations have at least one vendor that’s had a breach in the last two years. While this statistic doesn’t mean that these breaches impacted all connected organizations, it does highlight the scope of indirect exposure to risk.

Let’s dive deeper into some other insights that help us understand the true extent of exposure from third- and fourth-party relationships.

How many third- and fourth-party relationships do organizations have?

The typical number (peak density) of third-party relationships is about 10, while three-quarters of organizations have less than 30. Only 4% of the analyzed firms have over 100 direct vendor relationships.

The research also analyzed the difference in third-party relationships among industries, which uncovered that organizations in some sectors tend to maintain more third-party relationships than others. Unsurprisingly, the information services sector had the highest average number of third-party relationships (25), while the finance sector had the lowest (6.5).

When it comes to fourth-party relationships, based on third parties observed via Automatic Vendor Detection, the typical organization has indirect relationships with 60 to 90 times the number of fourth parties.

To grasp the importance of fourth-party risk management, the research focuses on uncovering the most common “vendors of your vendors.” While only a handful of third-party vendors are used by more than 50% of organizations, that number increases to 99% for four parties, which means that most organizations are no more than two steps removed from each of the top 50 vendors.

So, does the number of vendor relationships impact security risk?

Answering this question is difficult without generalizing. Instead, the research focuses on whether less secure organizations have more vendor relationships. The answer to that question is YES.

On average, organizations with an “F” or “D” SecurityScorecard rating have more than twice the number of third-party relationships than organizations with an “A” rating.

The same trend continues with fourth-party relationships. The fourth-party growth multiplier of organizations with a failing security grade is 10x that of those rated A.

While these findings merely indicate a correlation between having more vendors and being less secure, it’s undeniable that vendors do add complexities, dependencies, and vulnerabilities that require continuous monitoring.

Read the full report here to learn more about these and other insights from this research, along with steps your organization can take to minimize potential risk stemming from your third or fourth parties.