Image by Shutterstock

Third-party data breaches are becoming the new norm, but most companies aren’t taking important steps to protect themselves.

Ponemon Institute’s third annual “Data Risk in the Third-Party Ecosystem” study, released Monday, found that 59% of respondent companies experienced a data breach caused by a third party or vendor. Another 22% of respondents said they didn’t know if they had been impacted by a third-party data breach over the past year.

Ponemon’s study was sponsored by global compliance and risk management solutions Opus and surveyed more than 1,000 chief information security officers from a variety of industries in the U.S. and U.K.

Growing problem

American companies were more likely to say they’d experienced a third-party breach, at 61%. According to the report, that’s a 5% increase from last year and a 12% increase from 2016. More than 75% of all respondents said third-party data breach incidents are on the rise.

“It’s growing,” Lee Kirschbaum, the senior vice president and head of product, marketing and alliances for Opus told Corporate Counsel. ”It’s not getting better, it’s getting worse, especially in the U.S.”

Related: It’s never a bad time for a supplier risk review

But only 16% of respondents said their companies are “highly effective in mitigating third-party risks.” Nearly two-thirds of companies don’t keep a comprehensive inventory of third parties. Most respondents cited lack of centralized control, lack of resources and the complexity of third-party relationships as the reason for not keeping a comprehensive inventory.

Important to mitigate risk

Dov Goldman, the vice president of innovation and alliances of Opus, said it’s important that companies mitigate the risk of third-party breaches.

“The third-party ecosystem is an ideal environment for cyber criminals looking to infiltrate an organization, and the risk only grows as these networks become larger and more complex,” Goldman said in a press release. “To stay ahead of the risk, companies and executives need to collaborate around plans for third-party detection and mitigation that supports automated technology and strong governance practices.”

Most respondents said their company’s management of third-party risks is not effective or a priority, that they don’t have sufficient resources to manage those relationships and that they’re unaware of whether vendors are doing enough to prevent a breach.

Some companies, however, have been effective at preventing third-party breaches from impacting them. Ponemon’s study highlighted tactics those organizations have used to stay protected.

Best practices

Respondents said best practices include evaluating security and privacy practices of third parties, keeping a comprehensive inventory of third parties used, requiring third parties to provide notice when a breach happens and including the board of directors in risk management programs.

“A takeaway for me was that so many companies just weren’t doing [best practices],” Kirschbaum said. “I don’t think it’s obvious to the market.”

Related: Liability questions loom in Delta vendor data breach