As organizations continue to migrate to the cloud, reliance on third parties and partners increases, in turn, exacerbating the risk of threats through the supply chain, a Proofpoint study shows.

The study shows that 81% of responding organizations are moderately to highly concerned about risks surrounding suppliers and partners, with 48% specifically concerned about potential data loss as a result of such risks. 

This high level of concern is warranted as 58% of organizations indicated that third parties and suppliers were the target of a cloud-based breach in 2021.

The study, Cloud and Web Security Challenges in 2022, in collaboration with The Cloud Security Alliance (CSA), queried more than 950 information technology and security professionals from various organization sizes and locations to better understand the industry’s knowledge, attitudes, and opinions regarding cloud- and web-delivered threats.

Boris Gorin, co-founder and CEO at Canonic Security, explains that third-party risk is one of the only areas in security today where the challenge still focuses on defining the approach and policies rather than executing them. Most breaches happen because we didn’t execute on a policy, not because we didn’t have one. Today, we manage the risk of known vendors we have partnered with rather than measuring the impact third-party integrations have on our environment — which may be a whole different set of vendors entirely.

“Most security breaches happen due to controls being overlooked or improperly implemented rather than for the lack of standards or processes,” Gorin says. “Therefore, if we look at existing processes for managing third-party systems and integrations, there’s a lot of room for improvement.”

The results reveal that organizations are struggling to sufficiently secure new cloud environments implemented during the pandemic while maintaining legacy equipment and trying to adapt their overall security strategy to the evolving landscape.

The study reveals that defending data is rightfully a top concern for businesses, with 47% listing “sensitive data loss” as their most concerning outcome of cloud and web attacks.

The specific types of data organizations are most concerned with are customer data, credentials, and intellectual property. 43% of organizations listed protecting customer data as their primary cloud and web security objective for 2022. Despite this, only one-third (36%) of the organizations surveyed have a dedicated Data Loss Prevention (DLP) solution in place.

To address this issue of sensitive data loss, it’s critical to gain an understanding of where all data is in the cloud, including multi-cloud environments and across all data stores, says Dave Burton, CMO at Dig Security. “Organizations need to ensure that they have backup capabilities in place, that they are performing software updates on a regular basis to address vulnerabilities, and that they have the right tooling in place, which could include Data Security Posture Management (DSPM) and DLP solutions.”

For the full report, visit