Survey: Third-Party Risks to Networks, Data Remains an Unmet Challenge

IT practitioners in the education sector report that vendors' access to and handling of sensitive data is often unmonitored.

  • By Kristal Kuykendall
  • 08/01/22

A spring 2022 survey of IT professionals in the education sector by access management provider SecureLink found that many educational institutions are neither managing nor monitoring third-party vendors with access to campus networks and student data.

According to the survey results from IT practitioners in the U.S. education sector, shared with Campus Technology by SecureLink, showed that almost half of education respondents, 45%, reported that they do not evaluate the security and privacy practices of third parties before their organization engages them and begins providing access to sensitive or confidential information, while 51% said they do conduct such evaluations.

The full survey report, "Treading Water: The State of Cybersecurity and Third-Party Remote Access Risk," covers responses from 632 IT and security professionals across five sectors in the United States — financial services, healthcare, education, industrial and manufacturing — who are involved in their organizations' approach to managing third-party data risks, SecureLink said. The research was conducted by Ponemon Institute on behalf of SecureLink earlier this year.

The survey responses show that "organizations have made no significant progress in mitigating cyberattacks and have, in fact, experienced an increase in third-party attacks over the past year," SecureLink said in the report.

Survey participants from education organizations included both K–12 and higher ed IT practitioners, a spokesperson told Campus Technology.

Key Findings from the Education Sector

When asked whether their organization has experienced a data breach or cyberattack caused by a third party vendor, either directly or indirectly, 42% of education respondents said yes, and 2% marked "unsure."

Of those responding yes, over half, 54%, indicated that the breach or cyberattack had not resulted in changes in their organization's third-party management practices.

More than a third of education respondents, 36%, rated their organization as ineffective at mitigating remote access third-party risks. Only 17% of respondents felt confident in their effectiveness at mitigating such risks.

Detecting third-party remote access is also out of reach for nearly four in 10 respondents, with 39% rating their organization as ineffective at detecting remote access third-party risks.

Controlling third-party access to the network is managed only slightly better, the survey showed, with 29% of respondents rating their ability to control network access as ineffective, and just 25% saying their organization was "highly effective" at controlling access to their networks.

When asked to select the five biggest factors considered when making improvements to their cybersecurity infrastructure, the top responses were:

  • 60% reported system effectiveness issues (high false positive);
  • 60% reported in-house expertise;
  • 57% reported system complexity issues;
  • 46% reported hardware requirements; and
  • 46% reported system performance issues.
SecureLink survey

Sixty-three percent of respondents reported lack of oversight or governance as the most significant barrier to achieving a strong security posture in their organization's cybersecurity infrastructure. Other challenges included:

  • 55% reported insufficient visibility of people and business processes; and
  • 49% reported insufficient assessment of cybersecurity risks.

Education IT practitioners reported little or no confidence that their third-party vendors would notify them if they had a data breach involving their organization's sensitive and confidential information: Almost a quarter of respondents said they were "not at all confident," and only 14% answered "highly confident."

  • Only 16% of respondents said their third parties are "all aware" of the data breach reporting regulations their organization must comply with.
  • 52% said their organization does not have a comprehensive inventory of all third parties with access to its network. 44% said they did, and 4% were unsure.
  • 51% said they do not monitor third parties with access to your organization's sensitive and confidential information monitored.

Respondents were asked what information their organization routinely collects and documents about its third-party vendors with access to its network and data:

  • 76% relevant and up-to-date contact information for each vendor;
  • 58% identification of third parties that have our most sensitive data;
  • 43% confirmation that specific security practices are in place (i.e. firewalls, employee security training, pen testing, etc.);
  • 40% confirmation that basic security protocols are in-place;
  • 39% the type of network access they have;
  • 34% past and/or current known vulnerabilities in hardware or software; and
  • 57% of respondents said their education organization's third-party management program does not define or rank levels of risk.

Of the 36% of organizations that do rank levels of risk within third parties accessing campus networks/data, respondents offered the following red flags as indicators of risk:

SecureLink survey

When asked about the steps organizations take to ensure third parties' compliance with privacy and security regulations, 59% of respondents said they encrypt transmissions for all open or public networks. But only 18% had a policy in place banning the use of vendor-supplied security parameters or default passwords. Other strategies in place included:

SecureLink survey

SecureLink's report recommended that organizations reduce the complexity of their cybersecurity infrastructure, improving internal governance, and enhancing oversight practices.

Learn more about the findings and recommendations at SecureLink.com.

Featured

  • data professionals in a meeting

    Data Fluency as a Strategic Imperative

    As an institution's highest level of data capabilities, data fluency taps into the agency of technical experts who work together with top-level institutional leadership on issues of strategic importance.

  • stylized AI code and a neural network symbol, paired with glitching code and a red warning triangle

    New Anthropic AI Models Demonstrate Coding Prowess, Behavior Risks

    Anthropic has released Claude Opus 4 and Claude Sonnet 4, its most advanced artificial intelligence models to date, boasting a significant leap in autonomous coding capabilities while simultaneously revealing troubling tendencies toward self-preservation that include attempted blackmail.

  • university building with classical architecture is partially overlaid by a glowing digital brain graphic

    NSF Invests $100 Million in National AI Research Institutes

    The National Science Foundation has announced a $100 million investment in National Artificial Intelligence Research Institutes, part of a broader White House strategy to maintain American leadership as competition with China intensifies.

  • black analog alarm clock sits in front of a digital background featuring a glowing padlock symbol and cybersecurity icons

    The Clock Is Ticking: Higher Education's Big Push Toward CMMC Compliance

    With the United States Department of Defense's Cybersecurity Maturity Model Certification 2.0 framework entering Phase II on Dec. 16, 2025, institutions must develop a cybersecurity posture that's resilient, defensible, and flexible enough to keep up with an evolving threat landscape.