<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us

Control over third-party risk

by Sebastiaan Bosman Blog 8 Apr 2020

Most organisations outsource parts of their IT infrastructure. This brings different opportunities for the services they deliver, such as cloud accessibility or faster web traffic through external web hosting. But there is a downside. As more parts of the online footprint are in the hands of third parties, the digital attack surface of your organisation grows. Even though you cannot directly control those assets, your brand can be held accountable when data is leaked. So, does an increased complexity of the digital infrastructure also mean more risks to an organisation’s online footprint? And how can you find out?

 Investigating outsourcing

To answer this question, we created a framework and conducted a study using our Digital Risk Protection platform. We scanned 415 European brands from a wide variety of markets for different kinds of vulnerabilities in their online footprint. The size of an online footprint is determined by the number of assets an organisation has. Assets are things such as ip addresses, web pages, social media accounts, etc. We found 323,000 assets in total.

It is logical that large organisations also have a larger online footprint compared to small organisations. To determine the difference, we divided the 415 brands equally over three categories: organisations with a big, medium or small online footprint. We wanted to see by what margin larger organisations use more third parties, and whether this increased spread of assets also increases the risk profile.

Providers into perspective

First, we scanned for the number of third parties as part of the 415 brands’ online footprint. We found a total of 5,381 unique providers. By far, most providers supply services to the brands with the largest online footprint, as can be seen below.

The larger brands divide their IT infrastructure over multiple third parties. This has benefits, e.g. less impact on the whole system if a provider experiences unplanned downtime, but is also harder to keep track of and manage, and it increases the digital attack surface.

Organisation size related to risk rating

As outsourcing the IT infrastructure to third parties increases, so does the complexity of effectively mapping your online footprint - and staying in control of it. But does an increased complexity also means that there are more vulnerabilities?

The Digital Risk Protection platform automatically subjects each asset to a number of scans and analyses. The result is a security rating from A to F. An F-rating means there is one or more critical vulnerability found for that asset, which needs to be mitigated with priority.

As can be seen below, the brands with the big online footprint have a lower percentage of critical vulnerabilities compared to the medium and small brands. This implies that outsourcing more parts of the digital infrastructure might make it more difficult to manage, but it does not necessarily mean it makes the organisation more vulnerable.

Still, it must be taken into account that these percentages are based on the risk rating of the total number of assets per brand group. That means that, in absolute numbers, there are still more assets with a critical security rating in bigger organisations than in smaller ones. Only not as much when compared with organisations with smaller online footprints. However, the threat level goes up when these assets are controlled by third parties. That makes them much harder to detect, and even more difficult to manage and mitigate.

Deep dive webinar

The threat landscape is pushing towards more regulations and due diligence, as is already the case for financial institutions. The European Banking Authority has imposed guidelines for financial institutions, which usually means other markets will follow suit. See our four key takeaways from the report here.

Would you like a more complete picture of how to assess your third parties without the use of long questionnaires or forced audits? Watch our webinar here, in which CEO Pieter Jansen and SVP Strategy Eward Driehuis give a more detailed explanation of the issue, including how to map your organistion’s footprint more effectively. 

Watch the webinar


Sebastiaan Bosman is Content Marketeer at Cybersprint.
With a background in Comm
unications and Linguistics,
he is responsible for the creation and editing processes of most internal and external communication. He writes content such as blogs, whitepapers and case studies, primarily based on Cybersprint’s own research data. Previously, Sebastiaan worked as Content & Communications Advisor at ING Global.

Cybersprint 5-year anniversary

2020 marks our five-year anniversary! To celebrate, we will publish five video interviews about our journey so far. One video every Thursday in the month October. 

read more

Hâck The Hague: From council questions to a unique hacking competition

The Hague Municipality’s Council, Monday 30th of September 2019 at 10:25 AM. On this location 3 years ago, the idea for the first edition of this event was established. Today, as chairman I have the pleasure to initiate its third edition, Hâck The Hague 2019. For the third year in a row, the municipality of The Hague and Cybersprint are working together to test the digital security of the city along with its inhabitants.

read more

Use case: Provincie Overijssel

For governmental organisations, it is important to have a clear overview of their digital footprint and risks. They need to ensure the right policies are in place when it comes to cybersecurity. To illustrate their challenges, and the benefits of digital footprint management, we've interviewed one of our customers from the governmental sector. Rick Verkade, Security and Privacy Specialist at Provincie Overijssel shares his experiences in this interview.

read more

Do you have a question?

Our experts have the answers

Contact us