IT Survey Shows Managing Third-Party Risks Remains a Growing and Unmet Challenge

Responses from Education IT Pros Show Vendors’ Access to and Handling of Sensitive Data Often Unmonitored

• By Kristal Kuykendall
• 07/28/22

A recent survey of IT professionals by critical access management provider SecureLink found that managing and monitoring third-party vendors with access to public schools’ networks and data remains a top challenge for education IT practitioners.

According to the survey results from IT practitioners in the U.S. education sector, shared with THE Journal by SecureLink, showed that almost half of education respondents, 45%, reported that they do not evaluate the security and privacy practices of third parties before their organization engages them and begins providing access to sensitive or confidential information, while 51% said they do conduct such evaluations.

The full survey report, “Treading Water: The State of Cybersecurity and Third-Party Remote Access Risk,” covers responses from 632 IT and security professionals across five sectors in the United States — financial services, healthcare, education, industrial, and manufacturing — who are involved in their organizations’ approach to managing third-party data risks, SecureLink said. The research was conducted by Ponemon Institute on behalf of SecureLink earlier this year.

The survey responses show that “organizations have made no significant progress in mitigating cyberattacks and have, in fact, experienced an increase in third-party attacks over the past year,” SecureLink said in the report. Survey participants from education organizations included both K–12 and higher ed IT practitioners, a spokesperson told THE Journal.

Key Findings from the Education Sector

When asked whether their organization has experienced a data breach or cyberattack caused by a third party vendor, either directly or indirectly, 42% of education respondents said yes, and 2% marked “unsure.”

Of those responding yes, over half, 54%, indicated that the breach or cyberattack had not resulted in changes in their organization’s third-party management practices.

More than a third of education respondents, 36%, rated their organization as ineffective at mitigating remote access third-party risks.

Only 17% of respondents felt confident in their effectiveness at mitigating such risks. Detecting third-party remote access is also out of reach for nearly 4 in 10 respondents, with 39% rating their organization as ineffective at detecting remote access third-party risks.

Controlling third-party access to the network is managed only slightly better, the survey showed, with 29% of respondents rating their ability to control network access as ineffective, and just 25% saying their organization was "highly effective" at controlling access to their networks.

When asked to select the five biggest factors considered when making improvements to their cybersecurity infrastructure, respondents listed:

Education IT practitioners reported little or no confidence that their third-party vendors would notify them if they had a data breach involving the school’s sensitive and confidential information: Almost a quarter of respondents said they were “not at all confident,” and only 14% answered “highly confident.”

• Only 16% of respondents said their third parties are “all aware” of the data breach reporting regulations their organization must comply with.
• 52% said their organization does not have a comprehensive inventory of all third parties with access to its network. 44% said they did, and 4% were unsure.
• 51% said they do not monitor third parties with access to your organization’s sensitive and confidential information monitored.

Respondents were asked what information their organization routinely collects and documents about its third-party vendors with access to its network and data:

• 76% Relevant and up-to-date contact information for each vendor
• 58% Identification of third parties that have our most sensitive data
• 43% Confirmation that specific security practices are in place (i.e. firewalls, employee security training, pen testing, etc.)
• 40% Confirmation that basic security protocols are in-place
• 39% The type of network access they have
• 34% Past and/or current known vulnerabilities in hardware or software

Well over half of respondents, 57%, said their education organization's third-party management program does not define or rank levels of risk.

Of the 36% of organizations that do rank levels of risk within third parties accessing school networks/data, respondents offered the following red flags as indicators of risk:

SecureLink’s report recommended that organizations reduce the complexity of their cybersecurity infrastructure, improving internal governance, and enhancing oversight practices.

Learn more about the findings and recommendations at SecureLink.com.