IT Survey Shows Managing Third-Party Risks Remains a Growing and Unmet Challenge

Responses from Education IT Pros Show Vendors’ Access to and Handling of Sensitive Data Often Unmonitored

A recent survey of IT professionals by critical access management provider SecureLink found that managing and monitoring third-party vendors with access to public schools’ networks and data remains a top challenge for education IT practitioners.

According to the survey results from IT practitioners in the U.S. education sector, shared with THE Journal by SecureLink, showed that almost half of education respondents, 45%, reported that they do not evaluate the security and privacy practices of third parties before their organization engages them and begins providing access to sensitive or confidential information, while 51% said they do conduct such evaluations.

The full survey report, “Treading Water: The State of Cybersecurity and Third-Party Remote Access Risk,” covers responses from 632 IT and security professionals across five sectors in the United States — financial services, healthcare, education, industrial, and manufacturing — who are involved in their organizations’ approach to managing third-party data risks, SecureLink said. The research was conducted by Ponemon Institute on behalf of SecureLink earlier this year.

The survey responses show that “organizations have made no significant progress in mitigating cyberattacks and have, in fact, experienced an increase in third-party attacks over the past year,” SecureLink said in the report. Survey participants from education organizations included both K–12 and higher ed IT practitioners, a spokesperson told THE Journal.

Key Findings from the Education Sector

When asked whether their organization has experienced a data breach or cyberattack caused by a third party vendor, either directly or indirectly, 42% of education respondents said yes, and 2% marked “unsure.”

Of those responding yes, over half, 54%, indicated that the breach or cyberattack had not resulted in changes in their organization’s third-party management practices.

More than a third of education respondents, 36%, rated their organization as ineffective at mitigating remote access third-party risks.

Only 17% of respondents felt confident in their effectiveness at mitigating such risks. Detecting third-party remote access is also out of reach for nearly 4 in 10 respondents, with 39% rating their organization as ineffective at detecting remote access third-party risks.

Controlling third-party access to the network is managed only slightly better, the survey showed, with 29% of respondents rating their ability to control network access as ineffective, and just 25% saying their organization was "highly effective" at controlling access to their networks.

When asked to select the five biggest factors considered when making improvements to their cybersecurity infrastructure, respondents listed:

 Survey responses from education IT professionals provided to THE Journal by SecureLink

Education IT practitioners reported little or no confidence that their third-party vendors would notify them if they had a data breach involving the school’s sensitive and confidential information: Almost a quarter of respondents said they were “not at all confident,” and only 14% answered “highly confident.”

  • Only 16% of respondents said their third parties are “all aware” of the data breach reporting regulations their organization must comply with.
  • 52% said their organization does not have a comprehensive inventory of all third parties with access to its network. 44% said they did, and 4% were unsure.
  • 51% said they do not monitor third parties with access to your organization’s sensitive and confidential information monitored.

Respondents were asked what information their organization routinely collects and documents about its third-party vendors with access to its network and data:

  • 76% Relevant and up-to-date contact information for each vendor
  • 58% Identification of third parties that have our most sensitive data
  • 43% Confirmation that specific security practices are in place (i.e. firewalls, employee security training, pen testing, etc.)
  • 40% Confirmation that basic security protocols are in-place
  • 39% The type of network access they have
  • 34% Past and/or current known vulnerabilities in hardware or software

Well over half of respondents, 57%, said their education organization's third-party management program does not define or rank levels of risk.

Of the 36% of organizations that do rank levels of risk within third parties accessing school networks/data, respondents offered the following red flags as indicators of risk:

Survey responses from education IT professionals provided to THE Journal by SecureLink 

SecureLink’s report recommended that organizations reduce the complexity of their cybersecurity infrastructure, improving internal governance, and enhancing oversight practices.

Learn more about the findings and recommendations at SecureLink.com.

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured

  • An elementary school teacher and young students interact with floating holographic screens displaying colorful charts and playful data visualizations in a minimalist classroom setting

    New AI Collaborative to Explore Use of Artificial Intelligence to Improve Teaching and Learning

    Education-focused nonprofits Leading Educators and The Learning Accelerator have partnered to launch the School Teams AI Collaborative, a yearlong pilot initiative that will convene school teams, educators, and thought leaders to explore ways that artificial intelligence can enhance instruction.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Supported by OpenAI

    OpenAI, creator of ChatGPT, is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • closeup of laptop and smartphone calendars

    2024 Tech Tactics in Education Conference Agenda Announced

    Registration is free for this fully virtual Sept. 25 event, focused on "Building the Future-Ready Institution" in K-12 and higher education.

  • cloud icon connected to a data network with an alert symbol (a triangle with an exclamation mark) overlaying the cloud

    U.S. Department of Commerce Proposes Reporting Requirements for AI, Cloud Providers

    The United States Department of Commerce is proposing a new reporting requirement for AI developers and cloud providers. This proposed rule from the department's Bureau of Industry and Security (BIS) aims to enhance national security by establishing reporting requirements for the development of advanced AI models and computing clusters.