Did you know that, according to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or third parties? During these uncertain times, when many industries are shifting to an increasingly remote workforce, organisations may feel pressure to accommodate new business requirements by onboarding new technology faster. However, given the frightening implications of a potential breach – and the fact that phishing attacks and other cyber scams are on the rise due to the ongoing coronavirus pandemic – it’s more important than ever that you consider a potential vendor’s cybersecurity risk posture before you sign on the dotted line.
Quantify Cybersecurity Risk with Security Ratings
In the past, you may have relied on methods such as internal assessments, third-party audits, and penetration tests to evaluate and quantify cybersecurity risk in your vendor network. But all of these tactics share a few common flaws. They tend to be extremely resource-intensive — and provide only static, point-in-time results. In addition, these methods are subjective and produce highly technical metrics that can be difficult to explain to executives.
As security ratings provide a real-time, data-driven, and objective measure of security performance, they are the ultimate solution for achieving visibility into a third party’s risk. Unlike a point-in-time snapshot, BitSight Security Ratings are updated daily, so you can track how your vendors’ security posture is changing over time. By using this type of standard, easily understandable KPI, you can streamline and simplify the process of setting vendor security goals, monitoring shifts, and reporting back to the broader team on progress or areas of concern.
Define Your Acceptable Risk Thresholds
Before you begin evaluating a potential vendor’s cybersecurity risk, it’s important to partner with your legal, finance, and compliance teams to define what you consider to be an acceptable risk threshold. Of course, your business relationship differs from vendor to vendor — and so you should refrain from setting one standard risk threshold for your entire network.
Instead, group or “tier” your vendors by criticality and then work with your team to determine an acceptable risk threshold for each group. For example, you may want to grant a higher level of risk tolerance to less critical vendors that hold no data or don’t have access to your corporation’s network, versus critical vendors that hold a great deal of data or maintain constant contact with your company’s systems. Make sure to establish criteria both for the total risk posed by the vendor as well as the threat posed by individual factors of their security posture.
Which Risk Factors Should You Consider?
When evaluating a potential vendor’s security posture, you should focus your efforts on a few key indicators of performance:
1. Compromised systems
Compromised systems are those that represent evidence of successful cyber attacks. Although a compromised system does not necessarily equate to data loss, each one is an indication that the vendor has been compromised in some manner. We identify and classify compromised systems into the following risk types: botnet infections, spam propagation, malware servers, potentially exploited machines, and unsolicited communications. As compromised systems are most correlated to the potential for breach, it’s critical that you assess whether any devices within a potential vendor’s network are infected with malware.
Data points in this category indicate whether a particular third-party has taken steps to prevent an attack. In an effort to measure a vendor’s effectiveness in implementing the necessary controls, BitSight analyses security configurations and protocols associated with risk vectors such as open ports, patching cadence, and insecure systems. On your end, you should assess, for example, whether a potential vendor has proper email server configuration — as this can help prevent email-related attacks and indicate that the organisation in question has good risk management practices in place.
3. User behaviour
Within this particular category, you should examine any user activities that have the potential to introduce malicious software into your corporate network. We highlight the following two risk types when classifying user behaviour: file sharing and exposed credentials. When evaluating a potential vendor, consider whether employees of the company in question leverage peer-to-peer exchange protocols for sharing media and software — as these practices can make a network more susceptible to malware infections.
4. Data breaches
Of course, before entering into a new vendor partnership, it’s critical to know whether that organisation has any recent history of breach for which they were at fault for the data loss. BitSight collects information about publicly disclosed breaches from a variety of news sources and data breach aggregations services — so you’ll always have this information at your disposal when conducting your third-party risk management assessments.
Streamline Vendor Cybersecurity Risk Assessment with Security Ratings
As your vendor network grows, so does your attack surface. In order to protect the assets in your expanding digital ecosystem, it’s critical for you to ensure that all of your third-party partners meet your security standards and conduct the necessary due diligence.
With a standard KPI like security ratings, it’s easier than ever for you to assess a potential vendor’s cybersecurity posture throughout your business partnership — saving you valuable time and resources.
Ready to learn more about creating a faster, less costly and more scalable vendor onboarding and cybersecurity risk assessment program with ease?
Download the latest BitSight Vendor Onboarding White Paper
Pressed for Time? Then read the Quick Guide
You’re Only As Strong As Your Weakest Link
There’s never a more vital time to start thinking seriously about the security posture of your organisation and extended enterprise. DVV Solutions are here to help with a range of services and solutions proven to improve your ability to assess, analyse and manage more Third-Party cyber and data privacy risk domains. For more advice and information on any Third-Party risk challenge you have:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do
This article was originally published by BitSight and is shared with their kind permission.