Download our vendor portfolio risk report sample to get an exclusive look at the actionable reporting capabilities third party risk management teams can use to reduce critical portfolio risk.
Today, 59% of data breaches originate with third-party vendors. And, as globalization brings more interconnected supply chains, that number is anticipated to grow.
Yet, even with vigorous security controls in place, the vast majority of organizations struggle with supply chain cybersecurity risk management.
A key challenge to managing third-party cyber risk is that everything is out of your direct control. How can you gain insight into your vendor's security posture so that you can make informed decisions about the risks of doing business with them? Even with that insight, how do you get at-risk vendors to improve their security controls?
In this article, we explain how you can assess your third parties for cyber risk and outline steps you can take to remediate the risk of a third-party data breach.
1. Assess your vendors for risk before you enter a relationship
Onboarding third-party vendors who will have access to your network and data without gauging the cybersecurity risk they pose is extremely risky. Yet, too many organizations overlook the importance of cyber risk assessment during the vendor selection process.
One way to calculate risk is by using a continuous monitoring and vendor risk assessment tool, like BitSight Security Ratings. With BitSight, you can quickly assess the information security, vulnerability and threats that a vendor may pose and the risk for a potential breach.
This pre-assessment can be done without requiring consent from a vendor. You can even benchmark and compare a vendor to their peers and others in their sector to help you make an informed decision about which vendor you should select.
The result is a more accurate real-time picture of cyber risk than can be achieved by completing costly risk assessments, penetration tests, or vulnerability scans.
2. Incorporate risk management into your contracts
Make a practice of including cybersecurity risk into your vendor contracts. While this won’t prevent a third-party data breach, it will hold the vendor accountable should their cyber risk posture change and they fail to act to remediate it.
In fact, many organizations are incorporating security ratings into their contracts. For example, some stipulate that vendors must maintain a security rating above X, or risk having their contract terminated. Independent third parties have confirmed that companies with a security rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.
We also recommend that you incorporate SLAs into your contract so that you can steer the cybersecurity risk management behavior of your vendor. Consider adding language that requires your vendors to communicate or even remediate any security issues within a certain time frame, such as 48 or 72 hours.
3. Once onboard, continuously monitor your vendors for security risks
An organization’s security posture can and will change over the course of your contract. It’s critical that you continuously monitor their security controls over time.
The trouble is, most organizations don’t continuously monitor into their third-party risk management programs. Instead, they perform point-in-time assessments, such as a cyber security audit or cyber security risk assessment questionnaires, which are typically only snapshots of an organization's security posture. These snapshots can fail to capture risk that can arise over the course of the third-party relationship.
Indeed, Gartner found that 83% of legal and compliance leaders identified third-party risks after due diligence and before recertification. “As third-party relationships change, compliance leaders must ensure risks are mitigated over the course of the relationship.”
4. Collaborate with your vendors to protect against a third-party data breach
While you can never fully prevent a third-party data breach, it’s important that you work collaboratively, not combatively, with your vendors to reduce risk and fix security issues quickly so that you don't end up in a situation similar to the SolarWinds breach.
There are several features in BitSight that support this process.
For example, you can give vendors access to your portal so they can investigate their rating and the details behind it, enabling them to identify vulnerabilities and immediately remediate risk. BitSight also sends alerts when a vendor’s rating drops below a certain threshold and suggests remediation strategies. This facilitates outreach and allows you and your vendors to react quickly and responsively.
The ripple effect of minimizing cyber risk in your supply chain
As cyber threats become more advanced and persistent, only through continuous monitoring and evidence-based conversations with your vendors can you reduce cyber risk across your business ecosystem and minimize the chances of a third-party data breach.
Not only will your organization benefit from this approach to vendor risk management, but your third parties--even fourth and “nth” parties--will be empowered to drive their cybersecurity efforts responsibly.