Most organizations don't understand third party cyber risks: Survey

Organizations have a big blind spot for cyber risks arising from third parties and their supply chains, according to a new survey by consulting firm PwC.

According to a report released on Tuesday, only 41 percent of survey respondents in Canada -- and 40 percent of those inquired globally -- said they were exposed to data breaches through third parties using formal enterprise-wide assessments. were in touch. Understand risk well.

PwC's Global Trust Insight report states, "Nearly a quarter in Canada and globally said they have little or no understanding on all of these risks – a major blind spot about which cyber attackers are well off." are closed." Knows and is ready to take advantage."

These results were part of a survey of 3,602 C-Suite executives in organizations around the world, including 114 Canadian respondents, on a range of cyber-related issues.

The issue of third-party risks has been around for some time, but became significant with the revelation that attackers had compromised the updated mechanisms of SolarWinds' Orion network management suite and stole data through Excellion's FTA file transfer application. Was. Were

Among other findings in the report:

More than 80 percent of Canadian officials said that avoidable organizational complexity is related to cyber and privacy risks;

Only a third of Canadian respondents reported mature data trust processes in four areas: data discovery, security, minimization and governance;

Only 30 percent of Canadian respondents quantified cyber risks by understanding financial risk and prioritizing security spending.

"Digital connections continue to grow and form complex webs that become more complex with each new technology," Sajith Nair, national technology and cloud leader at PwC Canada, said in a statement. "The answer here is not just to add more technology, but it's about working together as a unified whole, from the tech stack to the boardroom. Simplification to make it easier for organizations to secure the C-Suite." " But a tough and deliberate choice needs to be made.

“Digital and cloud transformation, when done thoughtfully, presents tremendous opportunities for organizations to simplify. However, many are inadvertently creating additional complications that expose them to unnecessary and avoidable cyber and privacy risks. do. are exposed."

Data administration and data infrastructure are considered areas of 'redundant and avoidable' complexity by the majority of Canadian respondents (80 percent and 81 percent, respectively)," the report summary said. However, only a third of Canadian respondents reported Told that four reported having mature, fully implemented data trust processes in key areas: governance, discovery, security and mitigation, while nearly one in five Canadian respondents said they had no formal data trust process. Not there.

The tech itself is not the answer to simplified security, the report said. The focus should be on working together as an integrated whole, from the tech stack to the boardroom, and starting at the top with the CEO.

Organizations that understand their third party risks, who use data to detect threats, streamline corporate operations, and have CEOs engaged in cyber goals, establish a culture of cyber security, cyber risk management More likely to report progress in increasing communication between boards. , The report states that management, and coordination of cyber strategy with business strategy.