<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Free Quickscan →
Cybersprint Digital Risk Protection Platform

The Cybersprint Platform

We’ve developed a unique Digital Risk Protection SaaS-platform that works 24/7 as an automated ethical hacker, continuously in search of online vulnerabilities. Read more

Cybersprint provides realtime insights

Make the world more cyber-secure

Cybersprint protects organisations by providing real-time insights into their online footprint. Read more

close

Control over third-party risk

by Sebastiaan Bosman Blog 8 Apr 2020

Most organisations outsource parts of their IT infrastructure. This brings different opportunities for the services they deliver, such as cloud accessibility or faster web traffic through external web hosting. But there is a downside. As more parts of the online footprint are in the hands of third parties, the digital attack surface of your organisation grows. Even though you cannot directly control those assets, your brand can be held accountable when data is leaked. So, does an increased complexity of the digital infrastructure also mean more risks to an organisation’s online footprint? And how can you find out?

 Investigating outsourcing

To answer this question, we created a framework and conducted a study using our Digital Risk Protection platform. We scanned 415 European brands from a wide variety of markets for different kinds of vulnerabilities in their online footprint. The size of an online footprint is determined by the number of assets an organisation has. Assets are things such as ip addresses, web pages, social media accounts, etc. We found 323,000 assets in total.

It is logical that large organisations also have a larger online footprint compared to small organisations. To determine the difference, we divided the 415 brands equally over three categories: organisations with a big, medium or small online footprint. We wanted to see by what margin larger organisations use more third parties, and whether this increased spread of assets also increases the risk profile.

Providers into perspective

First, we scanned for the number of third parties as part of the 415 brands’ online footprint. We found a total of 5,381 unique providers. By far, most providers supply services to the brands with the largest online footprint, as can be seen below.

The larger brands divide their IT infrastructure over multiple third parties. This has benefits, e.g. less impact on the whole system if a provider experiences unplanned downtime, but is also harder to keep track of and manage, and it increases the digital attack surface.

Organisation size related to risk rating

As outsourcing the IT infrastructure to third parties increases, so does the complexity of effectively mapping your online footprint - and staying in control of it. But does an increased complexity also means that there are more vulnerabilities?

The Digital Risk Protection platform automatically subjects each asset to a number of scans and analyses. The result is a security rating from A to F. An F-rating means there is one or more critical vulnerability found for that asset, which needs to be mitigated with priority.

As can be seen below, the brands with the big online footprint have a lower percentage of critical vulnerabilities compared to the medium and small brands. This implies that outsourcing more parts of the digital infrastructure might make it more difficult to manage, but it does not necessarily mean it makes the organisation more vulnerable.

Still, it must be taken into account that these percentages are based on the risk rating of the total number of assets per brand group. That means that, in absolute numbers, there are still more assets with a critical security rating in bigger organisations than in smaller ones. Only not as much when compared with organisations with smaller online footprints. However, the threat level goes up when these assets are controlled by third parties. That makes them much harder to detect, and even more difficult to manage and mitigate.

Deep dive webinar

The threat landscape is pushing towards more regulations and due diligence, as is already the case for financial institutions. The European Banking Authority has imposed guidelines for financial institutions, which usually means other markets will follow suit. See our four key takeaways from the report here.

Would you like a more complete picture of how to assess your third parties without the use of long questionnaires or forced audits? Watch our webinar here, in which CEO Pieter Jansen and SVP Strategy Eward Driehuis give a more detailed explanation of the issue, including how to map your organistion’s footprint more effectively. 

Watch the webinar


pasfoto001

Sebastiaan Bosman is Content Marketeer at Cybersprint.
With a background in Comm
unications and Linguistics,
he is responsible for the creation and editing processes of most internal and external communication. He writes content such as blogs, whitepapers and case studies, primarily based on Cybersprint’s own research data. Previously, Sebastiaan worked as Content & Communications Advisor at ING Global.

Pandemic-related domains list

- The information in this article will be updated frequently -  The 2020 pandemic has forced us all to adapt the way we work and communicate. Cybercriminals are leveraging the situation at the expense of others. At Cybersprint, we aim to keep these digital risks to a minimum. Therefore, we're sharing our research, containing a list of dodgy Corona-related domains you can use for blacklisting purposes.

read more

Control over third-party risk

Most organisations outsource parts of their IT infrastructure. This brings different opportunities for the services they deliver, such as cloud accessibility or faster web traffic through external web hosting. But there is a downside. As more parts of the online footprint are in the hands of third parties, the digital attack surface of your organisation grows. Even though you cannot directly control those assets, your brand can be held accountable when data is leaked. So, does an increased complexity of the digital infrastructure also mean more risks to an organisation’s online footprint? And how can you find out?

read more

Bad actors leveraging crises: 3 types of activities to watch out for

2020 is surely not starting out as we expected, as the horrible virus is disrupting and even ending the lives of many. We have mixed emotions writing this up, because there many people doing way more important work, like healthcare workers. Unfortunately, the bad guys have leveraged the crisis like clockwork. We looked at the three most common activities of bad actors.

read more

Do you have a question?

Our experts have the answers

Contact us