A new survey from SecZetta, a provider of third-party identity risk solutions, of more than 2,000 US adults revealed 83% of respondents agree that because organisations increasingly rely on contractors, freelancers, and other third-party workers, their data systems have become more vulnerable to cyberattacks.
Further, 88% of US adults say organisations and government entities must have better data security systems in place to protect them from the increase in third-party remote attacks. Of particular note, 53% of respondents lack confidence in the strength of the US government’s infrastructure to protect the American people from cyberattacks.
Recent high-profile breaches, including Solar Winds, Colonial Pipeline, and JBS Foods, have exposed how vulnerable organisations are to cybercrime and in particular ransomware attacks. Of note with recent attacks is how data breaches can quickly affect aspects of everyday life, such as the ability to fill a car with gasoline or buy meat at the grocery store. To rebuild consumer trust, survey respondents say organisations must invest in advanced technology systems that help proactively reduce their risk of third party-perpetrated cyberattacks.
“The surge in high-profile cyberattacks in recent months has shown how seemingly easy it is for bad actors – whether human or bots — to infiltrate an organisation’s data security infrastructure, creating chaos for the company and potential harm for consumers,” said David Pignolet, founder and CEO of SecZetta. “Many of these attacks originated through weaknesses in these organisations’ risk-based identity access and lifecycle strategies for non-employee populations.”
Safeguarding an organisation from cybercrime has become vastly more difficult given how digitised, and correspondingly interconnected, the world has become. According to recent data from the Ponemon Institute, 51% of breaches are caused by a third party, and more than half of respondents admit their organisations are not evaluating the security and privacy practices of these third-party non-employees before granting them access to sensitive and confidential information and systems.
Key insights from SecZetta’s survey include:
Survey Respondents Believe Third Parties Increase the Risk of Cyberattacks
- More than four in five US adults (83%) cite increased reliance on third-party workers as catalyst for surge in data breaches
- 88% of respondents agree organisations must have a system in place to help mitigate the risk of third-party related cyberattacks, with more than half (54%) strongly agreeing.
Consumer Trust Varies Depending on the Industry
- Survey results show US adults believe some industries are better at mitigating cyberattacks than others, but none are doing particularly well. When asked how confident they are in the following industries’ infrastructure to protect against cyberattacks:
- 53% of US adults lack confidence that the US government has the best infrastructure in place to protect Americans from cyberattacks;
- Those in the Northeast are more likely to say they’re confident in the government’s ability to thwart cyberattacks than those in the South, Midwest or West.
- 53% of US adults lack confidence that the US government has the best infrastructure in place to protect Americans from cyberattacks;
- US adults are least confident in the oil, gas and utilities industries, with only 45% saying they feel confident. Men were slightly more likely to say they were confident than women (48% vs. 43%).
- 56% of respondents express confidence that the healthcare and/or health insurance industries have the appropriate infrastructure in place to protect them from the impacts of cyberattacks.
- Slightly more than half (52%) of US adults feel confident in consumer-facing industries (i.e., financial services, retail) with men being slightly more confident than women (55% vs. 48%).
US Adults Lack Confidence in Organisations’ Ability to Prevent Cyberattacks
- More than three-quarters (78%) of US adults believe it’s easy for cybercriminals to breach an organisation.
- 73% of US adults believe most organisations today lack good controls over who has access to their computer systems and/or data.
- Of this group, those 55 years and older were more likely to agree with this statement.
- More than half of US adults (54%) express concern they and/or a family member will be directly impacted by a cyberattack on an organisation with which they do business.
- Of this group, those 30 years and older are more likely to be concerned, while men are slightly more concerned than women (57% vs. 51%).
Personal Financial Loss is of Deepest Concern to US Adults
- When asked which areas of their personal lives they feel are most vulnerable to a cyberattack, close to half of respondents (42%) cited the potential for personal financial impact from a cyberattack on an organisation with which they have a relationship.
- Of this group, those aged 30 and older are more concerned about experiencing financial loss, presumably due to having more assets to lose.
- Nearly a quarter (24%) are most concerned about the impact from disruptions to utilities and other critical industries.
- 14% are worried about disruptions to the US food supply.
“The results of the survey clearly demonstrate a heightened awareness of cybercrime across the general public who identify increased reliance on third-party workers as a leading cause of the surge in data breaches,” said Pignolet. “Given that many enterprise organisations provide access to significantly more third-party workers, including their supply chains, than full-time employees, it’s imperative they adopt comprehensive third-party identity risk management solutions to not just protect themselves and their assets, but safeguard customers from financial loss, the exposure of personally identifiable information, and the downstream effects of disruption to our country’s infrastructure. This includes the food supply chain, utilities, and even our national security.”
Too many organisations lack automated and effective methods to centrally track and manage their relationships with the burgeoning number of third parties with whom they do business. This, coupled with the lack of information organisations have about these third parties, makes them a cybercriminal’s best friend. The recent Presidential Executive Order (EO) mandates the federal government “improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.” For organisations looking to make changes to their third-party identity risk security measures, there are steps they can implement today including: properly identifying who each third party is and the sensitive data to which they have access; conducting regular user audits to ensure third parties have access based on the least amount of privilege necessary to do their jobs; extending Zero Trust programs to third-party non-employees; and conducting continuous risk ratings of the individuals working within a third-party vendor or partner, not just the organisation as a whole.
As cyberattacks on organisations and government entities continue to grow in size and impact, so too will US adults’ concerns about the impact these breaches can have on their daily lives. It’s time organisations and the government take action before they’re affected by the hard and soft costs of reputational damage.
SecZetta’s omnibus survey of 2,085 US adults, aged 18 and older, was conducted online between June 29 and July 2, 2021.
