It is virtually impossible to operate a business, organization, or local government these days without reliance on third parties or third-party tools. While many relationships with third-party entities are publicly visible, others may occur behind the scenes. There is no question, however, that these relationships are crucial for driving day-to-day activities in 2021.

With the increased reliance on third- and fourth-party services comes an increased attack surface and subsequent risk. It’s no longer only necessary for organizations to understand their own cybersecurity posture. It is equally important that organizations understand the cybersecurity posture and potential dangers introduced by their third parties.

It is no surprise that articles such as “U.S. cities disclose data breaches after vendor’s ransomware attack” and stories involving breaches of vendors leveraged by multiple cities have become regular news items in the past few years. By attacking city vendors, cybercriminals increase the efficiency of their hacks, carrying out “one-to-many” style campaigns where data from constituents across multiple geographies are impacted at once.

In evaluating the 271 cities in our research sample, we visited each city’s official website to identify easily observable third parties that were providing website development services. A common theme was that many of the websites visited, 126 (46%) disclosed publicly via the website footer that they were powered or enabled by a third party. While this is just one category of the myriad types of third-party providers with whom local governments typically engage, we chose to use this observation to highlight the dependency on third-party vendors to support everyday operations.

Below, we explore select findings on the most observed third-party website development providers, highlighting some of the risks they can introduce and the importance of maintaining a robust third-party risk management program. These risks become even more important to consider when looking at third parties that manage payments, government services, and other essential services on behalf of the city.

We looked further into the cybersecurity posture of the three most prevalent website developers that we observed. The most prevalent website developer provided services for 49 or 18% of the cities evaluated, with the other two most common providers supporting an additional 31 cities. We then analyzed and stratified the assessments of cities by their website developer. Our analysis showed that the average RiskRecon rating and performance across our nine security domains varied significantly depending on a city’s website developer. While the highest performing group of cities (when grouped by website developer) had an average RiskRecon rating of 7.9 (a B rating), the worst-performing cities associated with a specific website developer only scored 7.0 (barely meeting the threshold for a B rating).

This trend continued across most security domains, and we found that the security performance of the worst-performing group of cities had an average of 3.73 “priority 1” issues in their portfolio compared to an average of 1.55 “priority 1” issues across all 271 cities. Furthermore, the same low-performing group of cities had an average of 130 security findings per city compared to an average of 85 security findings among the cities developed by the three prevalent providers. Perhaps most startling is that the same group of cities suffered nearly 40% more breach events when compared to all 271 cities.

Stay tuned for more blogs discussing our exclusive research on the cybersecurity risk posture of city governments and download our full report here.