Most organisations outsource parts of their IT infrastructure. This brings different opportunities for the services they deliver, such as cloud accessibility or faster web traffic through external web hosting. But there is a downside. As more parts of the online footprint are in the hands of third parties, the digital attack surface of your organisation grows. Even though you cannot directly control those assets, your brand can be held accountable when data is leaked. So, does an increased complexity of the digital infrastructure also mean more risks to an organisation’s online footprint? And how can you find out?
To answer this question, we created a framework and conducted a study using our Digital Risk Protection platform. We scanned 415 European brands from a wide variety of markets for different kinds of vulnerabilities in their online footprint. The size of an online footprint is determined by the number of assets an organisation has. Assets are things such as ip addresses, web pages, social media accounts, etc. We found 323,000 assets in total.
It is logical that large organisations also have a larger online footprint compared to small organisations. To determine the difference, we divided the 415 brands equally over three categories: organisations with a big, medium or small online footprint. We wanted to see by what margin larger organisations use more third parties, and whether this increased spread of assets also increases the risk profile.
Providers into perspective
First, we scanned for the number of third parties as part of the 415 brands’ online footprint. We found a total of 5,381 unique providers. By far, most providers supply services to the brands with the largest online footprint, as can be seen below.
The larger brands divide their IT infrastructure over multiple third parties. This has benefits, e.g. less impact on the whole system if a provider experiences unplanned downtime, but is also harder to keep track of and manage, and it increases the digital attack surface.
Organisation size related to risk rating
As outsourcing the IT infrastructure to third parties increases, so does the complexity of effectively mapping your online footprint - and staying in control of it. But does an increased complexity also means that there are more vulnerabilities?
The Digital Risk Protection platform automatically subjects each asset to a number of scans and analyses. The result is a security rating from A to F. An F-rating means there is one or more critical vulnerability found for that asset, which needs to be mitigated with priority.
As can be seen below, the brands with the big online footprint have a lower percentage of critical vulnerabilities compared to the medium and small brands. This implies that outsourcing more parts of the digital infrastructure might make it more difficult to manage, but it does not necessarily mean it makes the organisation more vulnerable.
Still, it must be taken into account that these percentages are based on the risk rating of the total number of assets per brand group. That means that, in absolute numbers, there are still more assets with a critical security rating in bigger organisations than in smaller ones. Only not as much when compared with organisations with smaller online footprints. However, the threat level goes up when these assets are controlled by third parties. That makes them much harder to detect, and even more difficult to manage and mitigate.
Deep dive webinar
The threat landscape is pushing towards more regulations and due diligence, as is already the case for financial institutions. The European Banking Authority has imposed guidelines for financial institutions, which usually means other markets will follow suit. See our four key takeaways from the report here.
Would you like a more complete picture of how to assess your third parties without the use of long questionnaires or forced audits? Watch our webinar here, in which CEO Pieter Jansen and SVP Strategy Eward Driehuis give a more detailed explanation of the issue, including how to map your organistion’s footprint more effectively.
Sebastiaan Bosman is Content Marketeer at Cybersprint.
With a background in Communications and Linguistics,
he is responsible for the creation and editing processes of most internal and external communication. He writes content such as blogs, whitepapers and case studies, primarily based on Cybersprint’s own research data. Previously, Sebastiaan worked as Content & Communications Advisor at ING Global.