Survey: Third-Party Risks to Networks, Data Remains an Unmet Challenge

IT practitioners in the education sector report that vendors' access to and handling of sensitive data is often unmonitored.

A spring 2022 survey of IT professionals in the education sector by access management provider SecureLink found that many educational institutions are neither managing nor monitoring third-party vendors with access to campus networks and student data.

According to the survey results from IT practitioners in the U.S. education sector, shared with Campus Technology by SecureLink, showed that almost half of education respondents, 45%, reported that they do not evaluate the security and privacy practices of third parties before their organization engages them and begins providing access to sensitive or confidential information, while 51% said they do conduct such evaluations.

The full survey report, "Treading Water: The State of Cybersecurity and Third-Party Remote Access Risk," covers responses from 632 IT and security professionals across five sectors in the United States — financial services, healthcare, education, industrial and manufacturing — who are involved in their organizations' approach to managing third-party data risks, SecureLink said. The research was conducted by Ponemon Institute on behalf of SecureLink earlier this year.

The survey responses show that "organizations have made no significant progress in mitigating cyberattacks and have, in fact, experienced an increase in third-party attacks over the past year," SecureLink said in the report.

Survey participants from education organizations included both K–12 and higher ed IT practitioners, a spokesperson told Campus Technology.

Key Findings from the Education Sector

When asked whether their organization has experienced a data breach or cyberattack caused by a third party vendor, either directly or indirectly, 42% of education respondents said yes, and 2% marked "unsure."

Of those responding yes, over half, 54%, indicated that the breach or cyberattack had not resulted in changes in their organization's third-party management practices.

More than a third of education respondents, 36%, rated their organization as ineffective at mitigating remote access third-party risks. Only 17% of respondents felt confident in their effectiveness at mitigating such risks.

Detecting third-party remote access is also out of reach for nearly four in 10 respondents, with 39% rating their organization as ineffective at detecting remote access third-party risks.

Controlling third-party access to the network is managed only slightly better, the survey showed, with 29% of respondents rating their ability to control network access as ineffective, and just 25% saying their organization was "highly effective" at controlling access to their networks.

When asked to select the five biggest factors considered when making improvements to their cybersecurity infrastructure, the top responses were:

  • 60% reported system effectiveness issues (high false positive);
  • 60% reported in-house expertise;
  • 57% reported system complexity issues;
  • 46% reported hardware requirements; and
  • 46% reported system performance issues.
SecureLink survey

Sixty-three percent of respondents reported lack of oversight or governance as the most significant barrier to achieving a strong security posture in their organization's cybersecurity infrastructure. Other challenges included:

  • 55% reported insufficient visibility of people and business processes; and
  • 49% reported insufficient assessment of cybersecurity risks.

Education IT practitioners reported little or no confidence that their third-party vendors would notify them if they had a data breach involving their organization's sensitive and confidential information: Almost a quarter of respondents said they were "not at all confident," and only 14% answered "highly confident."

  • Only 16% of respondents said their third parties are "all aware" of the data breach reporting regulations their organization must comply with.
  • 52% said their organization does not have a comprehensive inventory of all third parties with access to its network. 44% said they did, and 4% were unsure.
  • 51% said they do not monitor third parties with access to your organization's sensitive and confidential information monitored.

Respondents were asked what information their organization routinely collects and documents about its third-party vendors with access to its network and data:

  • 76% relevant and up-to-date contact information for each vendor;
  • 58% identification of third parties that have our most sensitive data;
  • 43% confirmation that specific security practices are in place (i.e. firewalls, employee security training, pen testing, etc.);
  • 40% confirmation that basic security protocols are in-place;
  • 39% the type of network access they have;
  • 34% past and/or current known vulnerabilities in hardware or software; and
  • 57% of respondents said their education organization's third-party management program does not define or rank levels of risk.

Of the 36% of organizations that do rank levels of risk within third parties accessing campus networks/data, respondents offered the following red flags as indicators of risk:

SecureLink survey

When asked about the steps organizations take to ensure third parties' compliance with privacy and security regulations, 59% of respondents said they encrypt transmissions for all open or public networks. But only 18% had a policy in place banning the use of vendor-supplied security parameters or default passwords. Other strategies in place included:

SecureLink survey

SecureLink's report recommended that organizations reduce the complexity of their cybersecurity infrastructure, improving internal governance, and enhancing oversight practices.

Learn more about the findings and recommendations at SecureLink.com.

Featured