Monthly Archives: December 2017

Data risk in the third-party ecosystem: second annual study

Larry Ponemon

We are pleased to present the findings of Data Risk in the Third-Party Ecosystem: Second Annual Study, sponsored by Opus, to understand trends in the challenges companies face in protecting sensitive and confidential information shared with third parties and their third parties (Nth party risk). While the findings of this study reveal that the risk of sharing sensitive and confidential information with third parties is increasing, there are governance and IT security practices that can be implemented to significantly reduce the likelihood of a third-party data breach.

Since the study was first conducted last year, companies have made little progress in improving the overall effectiveness of their third-party risk management programs. This includes understanding how many of their third and Nth parties have access to sensitive and confidential data, confirming the existence of adequate safeguards and security policies in third parties and reviewing third-party management policies and programs to ensure risks are addressed. A serious barrier to achieving these objectives is the lack of adequate resources to manage third-party risk, according to 60 percent of participants in this research.

We define the third-party ecosystem as the many direct and indirect relationships companies have with third parties and Nth parties. These relationships are important to fulfilling business functions or operations. However, the research underscores the difficulty companies have in detecting, mitigating and minimizing risks associated with third parties that have access to their sensitive or confidential information.

The study found strong correlations between certain best practices and a reduction in the likelihood of third-party data breaches. The two most effective practices that when deployed reduce the likelihood of a breach are the evaluation of the security and privacy practices of third parties (46 percent likelihood of a data breach vs. 66 percent likelihood) and an inventory of all third parties with whom the organization shares information (46 percent likelihood of a data breach vs. 65 percent likelihood).

Key Report Findings:

  • Data breaches caused by third parties are on the rise

Fifty-six percent of respondents confirm that their organizations experienced a data breach caused by one of their vendors, an increase of 7 percent over the last year.

Cyber attacks against third parties that resulted in the misuse of their company’s sensitive or confidential information also increased significantly from 34 percent to 42 percent of respondents.

  • The effectiveness of third party governance programs remains low

 Less than half of all respondents say managing outsourced relationship risks is a priority in their organization.

Only 17 percent of respondents rate their companies’ effectiveness in mitigating third party risk as highly effective.

Sixty percent of respondents feel unprepared to check or verify their third parties, down from 66 percent in 2016.

  • Accountability and board level involvement increased slightly

Accountability for the third-party risk management program is dispersed throughout the organization. However, 5 percent more respondents now have an owner of the third-party program compared to last year.

Forty-two percent of respondents strongly agree or agree that their companies’ board of directors requires assurances that third-party risk is being assessed, managed and monitored.

However, only one-third of all respondents say their companies regularly report to the boards of directors on the effectiveness of the third-party management program and potential risks to the organization.

  • Companies lack visibility into third party and Nth party relationships

 The average number of third parties with access to confidential or sensitive information has increased by 25 percent over last year from 378 to 471 third parties.

More than half of all respondents do not keep a comprehensive inventory of all third parties with whom they share sensitive information.

Visibility gets worse with Nth party relationships, only 18 percent of respondents say their companies know how their information is being accessed or processed by Nth parties with whom they have no direct relationship.

Thirteen percent of all respondents could not determine if they had experienced a third-party data breach.

  • Today’s programs are insufficient to manage third party risks

 Fifty-seven percent of respondents say they are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach

Less than half of all respondents say that their company evaluates the security and privacy practices of all vendors before starting a business relationship that requires the sharing of sensitive or confidential information.

If they do conduct an evaluation, it is mostly to acquire signatures on contracts that legally obligate the third party to adhere to security and privacy practices.


  1. Evaluation of the security and privacy practices of all third parties. In addition to contractual agreements, conduct audits and assessments to evaluate the security and privacy practices of third parties.
  1. Inventory of all third parties with whom you share information. Create an inventory of third parties who have access to confidential information and how many of these third parties are sharing this data with one or more of their contractors
  1. Frequent review of third-party management policies and programs. The third-party risk management committee should create a formal process for and regularly review the security and privacy practices of their third and Nth parties to ensure they address new and emerging threats, such as unsecured Internet of Things devices.
  1. Formation of a third-party risk management committee. Create a cross-functional team to regularly review and update third-party management policies and programs.
  1. Visibility into third or Nth parties with whom you do not have a direct relationship. Increase visibility into the security practices of all parties with access to company sensitive information – even subcontractors
  1. Accountability for proper handling of third-party risk management program. Centralize and assign accountability for the correct handling of your company’s third-party risk management program and ensure that appropriate privacy and security language is included in all vendor contracts. 
  1. Third party notification when data is shared with Nth parties. Companies should include in their vendor contract requirements that third parties provide information about possible third-party relationships with whom they will be sharing sensitive information.
  1. Oversight by the board of directors. Involve senior leadership and boards of directors in third-party risk management programs. This includes regular reports on the effectiveness of these programs based on the assessment, management and monitoring of third-party security practices and policies. Such high-level attention to third-party risk may increase the budget available to address these threats to sensitive and confidential information.

To read the entire study, click here.

‘We don’t need Net Neutrality, we have a free market.’ Why that’s wrong

Bob Sullivan

Standard Oil committed many sins on the way to infamy, and Teddy Roosevelt’s s&*t list, but a big one was “vertical integration.” Rockefeller’s people owned oil refineries, and trucks that delivered gasoline, and the gas stations that sold it, and so on. It owned businesses up and down the supply chain, right down to the person who took the money from the consumer. A clever business model, that.  And believe it or not, it’s not necessarily illegal.  Companies purchase firms in their supply chain all the time.  IKEA famously purchased acres of forests in Romania, for example. That’s just smart; unless it leads to abusive monopoly power.  If IKEA were the only place to buy furniture, purchase of forests would raise alarms bells.   Were IKEA to buy all the forests in Europe, well, now I’d hope someone would step if and stop them.  Better yet, I’d hope we’d have a rule to stop that kind of thing before it starts.  Or if we had one, I’d hope we wouldn’t rescind it because IKEA asked nicely.

That’s not precisely what happened today when FCC chairman Ajit Pai announced he would dump Net Neutrality, but it’s a pretty decent approximation.  If Net Neutrality goes down in flames, you better believe TV prices are going up. I’d bet my over-the-top SlingTV subscription on that. Let me explain.

Net neutrality sounds like a complicated concept. (So does vertical integration.)  It’s not.  The rule simply stops an Internet service provider from favoring some 1s and 0s over others.  It prevents some content providers from being charged extra to be on the fast lane, which in turns obviously means other companies would be relegated to the slow lane.

“That’s too much government interference,” neutrality opponents have said.  Then comes the Economics 101 argument that free markets, rather than the government, should decide such things.  If only these folks would take Econ 102, when monopolies come up.

See, there is no free market in Internet service.  How many options do you have for broadband at your house? If you have three, you’re lucky. Many Americans — 50 million!! — have no choice at all for internet provider; they are forced to pay the exorbitant price their single carrier requires.  So, immediately, stop with the free market cliche.  In a situation where choice is not naturally occurring, it’s just and necessary for government to step in.

Let’s add to this discussion the fact that broadband Internet is a necessity today. A quick quiz: Does Internet service have more in common with electricity, or with a subscription to a wine club? A: Internet service is a utility.

I’ll bet zero percent of those who’d argue Internet is somehow optional live without Internet at their homes. I do wish Ajit Pai had to live without home service from now until Dec. 12, when the final FCC vote will be held. Let him argue then that Internet service is not a utility.

Now, back to vertical integration, and your soon-to-be higher TV prices. Comcast is one of America’s largest Internet service providers. It also owns NBC.  That means it owns both the pipe that goes into your home, and some of the stuff that goes through that pipe.  That’s vertical integration.  After Dec. 12, Comcast will be within its rights to make NBC content look better than competitors’ services when viewed over its Internet service.  Maybe Saturday Night Live arrives in brilliant HD, but that Netflix movie you are trying to watch instead keeps pixelating and hiccuping.*

Maybe that wouldn’t be so bad if you had a dozen choices for Internet service, and you could easily say, “Screw Comcast!  I’m switching to Bob’s Internet, where Netflix always looks great.”  You already know what I’m going to say next. This magical world of ISP competition does not exist. Furthermore, as anyone who tried to intelligently purchase cell phone service in the past 15 years knows, there is no way to know how reliable your bandwidth will be when you switch services.  Even if there were options, would they really be better?  Throw on top all those anti-competitive habits like early termination fees and equipment contracts and you have a really broken market on your hands.  In that environment, competition doesn’t solve all ills.

The fear you usually hear from the mega-companies involved in this fight is that without Net Neutrality, Netflix will end up being extorted by ISPs, forced to pay extra to be in their fast lane.  Well, I’m sympathetic to ISPs on this one. At one point, Netflix and YouTube accounted for half of all Internet traffic in the evening.  Should those firms have to pay something to help build out the pipes they using so much? Yes, I can see this argument.  I don’t care much; let the billion-dollar corporations bicker over that. They can hold their own. They are equal adversaries in a big marketplace dispute. They can handle themselves.

Here’s what I’m worried about.  Pay TV companies are in big trouble.  They are losing subscribers all the time — so-called cord-cutters.  Some 2% of pay TV watchers annually are dropping cable or satellite every year. That doesn’t sound like the end of the world. There are still almost 100 million households in America who do pay. The real problem is the reality of “cord-nevers.” — young people who’ve never paid for month TV in their lives, and never will.  That group includes some 35 million young people.  Many of them just watch stuff on Amazon Prime, or Hulu, or Netflix, or Major League Baseball Advance Media instead.  Or, they get basic TV from over-the-top services like SlingTV instead. That costs $25 a month, and it’s great. Presence of these alternatives has also forced TV providers like Verizon to get creative, and offer “skinny” bundles at much lower costs.   Ain’t competition great?

Even with all these great new options, cable user ARPU (Average revenue per user) keeps setting records.  Comcast made about $150 per subscriber last year. But that revenue is under serious threat. In 2009, only 10 percent of American paid for a streaming service. Today, that number is 49%, and growing. Many of over-the-top users live just fine without CNN, or NBC, or ESPN.

How can pay TV companies stop the bleeding?  Well, it’s easy.  Make the over-the-top services under-the-weather.  Make your service better than something you can buy from a competitor. If you own the pipe, and you can discriminate over traffic, you can do that. You can make your content look better than theirs.  You can drive out all the other gas stations — er, TV stations — to the point where your ARPU is no longer under pressure.

*Comcast, naturally, says it would never do this.  Perhaps it won’t.  Understand, however, that Comcast is far more responsible to its shareholders than its promises.

Ajit Pai says clear disclosures of fast lane / slow lane arrangements are all that’s needed to Make the Internet Great Again.  That’s hooey. What good is a notice saying your favorite shows won’t work so well on service A if you have no service B?

Here’s what would work. Guaranteed minimum service standards that are real, change with the times,  and are expediently enforceable. If the Net Neutrality rollback came with a real way to prove that there would be no slow lane, I’d listen.  Hey, I said I was sympathetic to the view that Netflix should pay a fair share for hogging the Internet.  Without such a real guarantee, however, everything you are hearing about Net Neutrality is a farce.  It’s an abdication of the responsibility to govern. It’s picking winners under the guise of “light-touch” regulation.  And, it’s going to hurt you.

We’ll get back to this, I promise.  The temptation ISPs will have to abuse their monopoly power will simply be too great. In fact, you’d almost believe these companies would be derelict to not exploit their newfound market power as soon as they can. That’s what companies are supposed to do.  Grow as big and powerful as possible. And governments are supposed to act as a counterbalance to that urge.

Without Net Neutrality in place, there is only one other options.  ISPs need to be broken up. There simply is no way we can allow Rockefeller to own the gasoline trucks and the gas stations….I mean we can’t have single firms owning Internet pipes and the content that travels along them.  We can deal with this now, or deal with it later, when the problems are far more endemic, and a generation of innovation has suffered. I fear we are about the chose the latter, dumber path.