<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website

Control over third-party risk

by Sebastiaan Bosman Blog 8 Apr 2020

Most organisations outsource parts of their IT infrastructure. This brings different opportunities for the services they deliver, such as cloud accessibility or faster web traffic through external web hosting. But there is a downside. As more parts of the online footprint are in the hands of third parties, the digital attack surface of your organisation grows. Even though you cannot directly control those assets, your brand can be held accountable when data is leaked. So, does an increased complexity of the digital infrastructure also mean more risks to an organisation’s online footprint? And how can you find out?

 Investigating outsourcing

To answer this question, we created a framework and conducted a study using our Digital Risk Protection platform. We scanned 415 European brands from a wide variety of markets for different kinds of vulnerabilities in their online footprint. The size of an online footprint is determined by the number of assets an organisation has. Assets are things such as ip addresses, web pages, social media accounts, etc. We found 323,000 assets in total.

It is logical that large organisations also have a larger online footprint compared to small organisations. To determine the difference, we divided the 415 brands equally over three categories: organisations with a big, medium or small online footprint. We wanted to see by what margin larger organisations use more third parties, and whether this increased spread of assets also increases the risk profile.

Providers into perspective

First, we scanned for the number of third parties as part of the 415 brands’ online footprint. We found a total of 5,381 unique providers. By far, most providers supply services to the brands with the largest online footprint, as can be seen below.

The larger brands divide their IT infrastructure over multiple third parties. This has benefits, e.g. less impact on the whole system if a provider experiences unplanned downtime, but is also harder to keep track of and manage, and it increases the digital attack surface.

Organisation size related to risk rating

As outsourcing the IT infrastructure to third parties increases, so does the complexity of effectively mapping your online footprint - and staying in control of it. But does an increased complexity also means that there are more vulnerabilities?

The Digital Risk Protection platform automatically subjects each asset to a number of scans and analyses. The result is a security rating from A to F. An F-rating means there is one or more critical vulnerability found for that asset, which needs to be mitigated with priority.

As can be seen below, the brands with the big online footprint have a lower percentage of critical vulnerabilities compared to the medium and small brands. This implies that outsourcing more parts of the digital infrastructure might make it more difficult to manage, but it does not necessarily mean it makes the organisation more vulnerable.

Still, it must be taken into account that these percentages are based on the risk rating of the total number of assets per brand group. That means that, in absolute numbers, there are still more assets with a critical security rating in bigger organisations than in smaller ones. Only not as much when compared with organisations with smaller online footprints. However, the threat level goes up when these assets are controlled by third parties. That makes them much harder to detect, and even more difficult to manage and mitigate.

Deep dive webinar

The threat landscape is pushing towards more regulations and due diligence, as is already the case for financial institutions. The European Banking Authority has imposed guidelines for financial institutions, which usually means other markets will follow suit. See our four key takeaways from the report here.

Would you like a more complete picture of how to assess your third parties without the use of long questionnaires or forced audits? Watch our webinar here, in which CEO Pieter Jansen and SVP Strategy Eward Driehuis give a more detailed explanation of the issue, including how to map your organistion’s footprint more effectively. 

Watch the webinar


Sebastiaan Bosman is Content Marketeer at Cybersprint.
With a background in Comm
unications and Linguistics,
he is responsible for the creation and editing processes of most internal and external communication. He writes content such as blogs, whitepapers and case studies, primarily based on Cybersprint’s own research data. Previously, Sebastiaan worked as Content & Communications Advisor at ING Global.

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Determining your cybersecurity maturity

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

read more

Do you have a question?

Our experts have the answers

Contact us