Third parties can play an essential role in your ability to grow your business and remain competitive. That is why, according to Gartner, 60% of organizations now are working with more than 1,000 third-parties, including partners, sub-contractors, and suppliers. Of course, if you’re not careful, these trusted partnerships may introduce unwanted cyber risk into your organisation.
This is particularly true as more and more businesses are moving to mandated work-from-home models — because residential IPs account for more than 90% of all observed malware infections and compromised systems.
With this widespread workforce shift, new vulnerabilities are being introduced both internally and within your third-party network, thereby increasing risk across your ecosystem as a whole.
As your third-party network continues to expand, it’s more important than ever to ensure each potential vendor goes through the necessary vetting process. But this can be a challenging feat if you don’t have all the information you need to evaluate their cyber risk posture effectively — and even more difficult if you’re facing pressure from above to accelerate your vendor onboarding process.
In order to meet the demands of the business, it’s critical to find a way to perform the necessary assessments while keeping your process as flexible and agile as possible. With BitSight for Third-Party Risk Management, you can gain immediate visibility into cyber risks within a potential vendor’s ecosystem, enabling you to reduce your onboarding time and cost — and scale your process to assess and monitor all your vendors with the resources you have today.
An Efficient And Effective Vendor Onboarding Process
In the world of vendor onboarding, it’s important to remember one simple truth: No two vendors are the same. If you use a one-size-fits-all assessment approach, you’ll end up wasting time and resources conducting extended, full-blown assessments on non-critical vendors — thereby undermining your efforts to onboard more quickly, go to market faster, and gain a competitive edge.
Each third-party presents different risk levels, and therefore merits different treatment when it comes time to assess their security postures. Here are four steps you can take to streamline your assessments and yield better results:
1. Group Vendors by Criticality
Get the most out of your valuable time by allocating resources to areas that require greater due diligence. Start by grouping or “tiering” your vendors based on how critical they are to your organisation. Essentially, a “critical” vendor is one that has access to your sensitive data or provides an important service. When determining whether a particular third-party meets this criteria, consider what they’ll be used for, what type of data they’ll hold, and whether they’ll have persistent access across your network.
By grouping your vendors in this way, you’ll be able to determine whether a particular third-party needs a more in-depth assessment or requires fewer touchpoints — empowering you to achieve greater efficiencies while still effectively managing risk throughout your supply chain.
2. Evaluate Third-Party Risk
In order to measure and communicate the effectiveness of a vendor’s security program, your organisation must have a common, standard set of cyber risk KPIs. Calculated using externally observable and verifiable data, BitSight Security Ratings give you an instantaneous snapshot of each potential partner’s overall security posture.
Armed with this data, you can compare vendors’ security profiles side-by-side and prioritise your assessments according to risk. You may decide, for example, that the assessment process for vendors with high security ratings may not need to be as rigorous, while the process for vendors with lower ratings could be more thorough.
3. Establish acceptable risk thresholds
Determining what your organisation considers to be an acceptable risk threshold is a critical step to developing an effective third-party risk management program — but it’s not a decision for security or IT teams to make alone. Partner with legal and finance to set an acceptable risk threshold that all vendors must meet in order to be considered, and then devise policies and enforceable contract language to ensure compliance throughout the length of your partnerships.
Establishing this criteria from the onset will help you to accelerate and refine the procurement process.
4. Monitor Your Vendors Continuously
From a security standpoint, your work isn’t done after a vendor signs on the dotted line. Once your third parties are onboarded, it’s critical that you continuously monitor their security postures — ensuring that they maintain the agreed-upon thresholds.
Instead of using manual processes involving spreadsheets and calendar reminders, you can save time and resources by leveraging BitSight Security Ratings. As these ratings are updated on a daily basis, you can easily track how your vendors’ security performance is changing over time — and even set up alerts to notify you of any critical shifts.
According to Gartner it now takes an average of 90 days to onboard a new vendor, 20 days longer than four years ago.
By taking an adaptive, tiered approach to vendor onboarding, you can turn third-party risk management into a business enabler — instead of a roadblock.
With BitSight Security Ratings data, you’ll be able to determine the appropriate level of assessment every time, based on each prospective vendor’s security posture and relationship to your organisation.
Interested in learning more about how to save onboarding time, reduce costs, and scale your program with ease?
Download the Full White Paper
Pressed for Time? Then read the Quick Guide
You’re Only As Strong As Your Weakest Link
There’s never a more vital time to start thinking seriously about the security posture of your organisation and extended enterprise. DVV Solutions are here to help with a range of services and solutions proven to improve your ability to assess, analyse and manage more Third-Party cyber and data privacy risk domains. For more advice and information on any Third-Party risk challenge you have:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do