Organizations have a large blind spot to cyber risks arising from third parties and their supply chains, according to a new survey by consulting firm PwC.
Only 41 per cent of Canadian survey respondents — and 40 per cent of those questioned globally — said they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments, according to a report released Tuesday.
“Nearly a quarter in Canada and globally said they have little or no understanding at all of these risks — a major blind spot of which cyber attackers are well aware and willing to exploit,” PwC’s Global Trust Insight report said.
The results were part of a survey of 3,602 C-suite executives in organizations around the world, including 114 Canadian respondents, on a number of cyber-related issues.
The issue of third-party risks has been around for some time but took heightened importance with the revelation that attackers had compromised the update mechanism of SolarWinds’ Orion network management suite and were stealing data through Accellion’s FTA file transfer application.
Among other findings in the report:
- Over 80 per cent of Canadian executives said that avoidable organizational complexity poses ‘concerning’ cyber and privacy risks;
- Only a third of Canadian respondents report having mature data trust processes across four areas: data discovery, protection, minimization, and governance;
- Only 30 per cent of Canadian respondents quantify cyber risks to understand financial exposure and prioritize security spend.
“Digital connections continue to multiply and form complex webs that grow more intricate with each new technology,” Sajith Nair, PwC Canada’s national technology and cloud leader, said in a statement. “The answer here isn’t just adding more technology, instead it’s about working together as a unified whole, from the tech stack to the boardroom. This requires the C-suite to make hard and deliberate choices on simplification to make organizations easier to secure.
“Digital and cloud transformation, when done thoughtfully, provides organizations tremendous opportunities to simplify. Many, however, are unintentionally introducing additional complexities which are exposing them to unnecessary and avoidable cyber and privacy risks.”
Data governance and data infrastructure are considered to be areas of ‘unnecessary and avoidable’ complexity by a majority of Canadian respondents (80 per cent and 81 per cent, respectively),” said a summary of the report. However, only a third of Canadian respondents report having mature, fully implemented data trust processes in four key areas: governance, discovery, protection, and minimization, while nearly one in five Canadian respondents says they have no formal data trust processes in place at all.
Tech, in itself, isn’t the answer to simplified security, the report says. The focus should be on working together as a unified whole, from the tech stack to the boardroom, and starting at the top with the CEO.
Organizations that understand their third party risks, that use data to spot threats, have streamlined corporate operations, and have a CEO engaged in cyber goals are more likely to report progress in instilling a culture of cybersecurity, managing cyber risk, enhancing communication between boards and management, and co-ordinating cyber strategy with business strategy, says the report.