Vendor risk is not just third-party risk: it’s much more. Your business is complex, and relies on other businesses who in turn rely on still others. This branching network of dependencies means that your immediate business partners – your third parties – actually make up only a small portion of your business supply chain, and the risk it poses. In our last RiskRecon relationships report we dug into third-party risk and scratched the surface of fourth party, but we stopped short of exploring the whole web of relationships. This time we want to zoom out to see the whole tangled web.
What we have found is that while your third party relationships are closest and might prove the
most tangible risks to your business, their business partners still pose a substantial threat to your enterprise, as well as the fourth parties’ vendors (your fifth parties), their vendors (your sixth parties), and so on. While these orgs are at a larger degree of separation, you’ll have less visibility into how they operate and the risks they pose. In vendor risk, as in life, it’s the culprits you can’t see who are most likely to cause you harm.
How much harm? Possibly, more than you think. The effects of an attack on a third, fourth, fifth, or higher party – commonly referred to as “nth party” – don’t just ripple outward. They spread in multiple directions: inward, too, and upward, and sideways, usually affecting more than one organization at a time. Nth-party relationships aren’t linear, but consist of numerous, multiple, repeating connections.
While we might think of them as a tree, with your company forming the trunk, your third-party partnerships the limbs, your fourth-party relationships the branches, et cetera, it’s not that simple. Your third parties often rely on each other. A single 4th party is frequently relied upon by a large segment of your third parties. A business-to-business network can be highly interconnected. The result is an intricate network of relationships... and risk.
Suddenly, a single incident at a 4th party doesn’t just affect one 3rd party you rely upon, but multiple. An outage at a 3rd party means many of your other 3rd parties might be affected. Nothing happens in isolation.
In a new blog series, we’ll try to unravel the implications of the complex network of interconnectedness. We'll examine where the bulk of your supply chain exists within your vendor ecosystem and how interconnected that supply chain is. Our research finds that as your supply chain moves away from you, the businesses you deal with get more unlike your own, and more diverse. Then we’ll dive directly into risk and show exactly how events might ripple out and affect your business, even when it seems like you should be insulated.
Understanding this complex web of risky relationships means decomposing our investigation into a number of parts. First we collected security assessments of more than 50,000 business-to-business relationships. Along with that data we collected information on the size and industry of those organizations as well as their security history. Then we dove right in and started to pick apart:
What we found was often alarming and sometimes counterintuitive – and always pointing back to this caveat: Effective risk management means vetting and monitoring not just your third-party risks but those associated with your business partners’ business partners, and their partners, and so on, throughout the tangled nth-party web.
This is not a task for an individual, but having a partner equipped and ready to help you navigate these relationships (like RiskRecon) is key.
The parlor game of “six degrees of separation from Kevin Bacon” goes like this: Name an actor and see if you can create a chain of films costaring successive actors until, eventually, one of those costars is Kevin Bacon. The goal is to find such a chain in less than 6 steps (or the minimum number of steps if you’re ambitious). This game is based on the “small-world” concept popularized by Psychologist Stanley Milgram in the 1960s which found that personal connections were constructed in such a way that just about anyone could be reached in just a few steps. It turns out the phenomenon exists in your supply chain network, in particular the extent of your supply chain doesn’t extend particularly far.
Throughout this report we’ll use the term “first party” to refer to your organization. In common parlance, 2nd party is usually reserved for customers, and so won’t enter into our vocabulary in this report. 3rd parties are those other businesses that your organization relies on directly. From here we proceed, sequentially: 4thparties are those that your 3rd parties rely upon, 5thparties are those that your 4thparties rely upon, and so on. This means 6 degrees of separation actually exists at your eighth party. So to answer how often supply chains actually extend that far, let’s examine Figure 1.
Two things are interesting here. First, a large majority of organizations' supply chains do extend out to that maximum 8thparty (6 hops) of separation, but none of the orgs in our study go beyond that. Another interesting thing we see is that very few organizations’ (13.3%) supply chains have shorter reach than that. Why this clustering around 6 degrees of separation? To answer that question we’ll look at the size of an organization’s supply chain at each distance in Figure 2.
What’s striking here is that we see the bulk of business relationships exist at the 4thand 5thparty level. So while the median of 45 organizations you have direct contact with may pose the most immediate risk as far as impact, they are dwarfed by the nearly 14x more organizations that comprise your 4thand 5thparties. We can examine this on a percentage basis as well in Figure 3, and see the same result, but one in which it’s easier to draw conclusions.
In particular we see that for most organizations 40% of their supply chain is in their 4thparty relationships with another ~40% in their 5thparty relationships. The rapid dropoff starting at the 6thparty level we saw in Figure 2 is mirrored here.
We also see the answer to the mystery raised in Figure 1, that is that the size of the network declines precipitously starting at the 6thparty. Indeed, it’s only a little more than a dozen firms typically at the 7thparty level and most organizations only have a handful of 8thparty relationships. So while most organization’s networks expand out to that 8th party, that circle is incredibly small.
The takeaway: If you’re managing your third-party-vendor risk (something many companies struggle with) but neglecting your fourth parties and beyond, you’re barely scratching the topsoil of your threat landscape. 80% of most organizations’ supply chain is located within the 4thand 5thparty relationships.
Over the next couple of weeks, we will continue to unravel where supply chain risk exists and where you should be focusing your efforts to keep your business secure. Download our full research here, to get all the details within our study!