When your organization decides to work with vendors, you agree to take on any potential cyber risk associated with that company. Unfortunately, these risks are on the rise. The massive SolarWinds and Kaseya supply chain hacks are headline grabbing examples. But even vulnerabilities in seemingly harmless devices like the GPS technology used by major organizations around the globe can cause significant supply chain risk.
It’s essential that these threats must be identified and mitigated during the vendor due diligence process. But if you are like most organizations, the process of assessing cyber risk across your extended supply chain is time-consuming and inefficient.
If you're looking for tips for improving vendor due diligence to combat growing third-party threats, consider the following best practices.
4 effective vendor due diligence practices
1. Set vendor risk tolerance thresholds
Traditional vendor due diligence assessment efforts tend to be one-size-fits-all, meaning the most critical vendors get the same treatment as less critical vendors – creating more work for security and risk management teams, and delaying vendor onboarding.
Instead, establish an acceptable risk threshold that a third-party must achieve to be considered as a potential partner. For example, a vendor who handles highly sensitive data – such as an accounting firm or cloud service provider – may need to be held to a higher cybersecurity (and risk evaluation) standard than, say, a food service vendor.
One way to do this in a consistent and uniform way is to use a security rating. BitSight Security Ratings, which range from 250 to 900, provide a data-backed view of a vendor’s cybersecurity posture. If a vendor has a lower rating, they may require a more in-depth assessment than those that meet your risk threshold.
Tip: If you’re not sure what your risk tolerance threshold is, we’ve identified industry averages by security rating here.
2. Tier your vendors
To further define a risk threshold, tier your vendors based on their risk and criticality to your business. For example, a payroll vendor would be classified a tier one or mission-critical vendor and held to a higher standard of security performance – and require greater due diligence – than an office supply company who does not have access to sensitive information or connectivity to your network or systems.
Tip: Tier your vendors quickly and easily with BitSight’s tier recommender service. The tool uses tiering best practices and provides a suggested tier for each vendor based on the nature of their business and the risk they pose.
3. Continuously monitor vendor risk
Third-party risk management is an ongoing tactic that goes beyond the vendor due diligence process. Keeping up with the threat landscape and your vendors' digital ecosystems is a constant balancing act. You want to ensure their security practices are mature, but you don’t have the resources to conduct in-depth audits or assessments every three to six months.
But you can keep a finger on the pulse of your vendors’ cyber health by continuously monitoring your vendors’ changing risk profiles throughout the life of your partnerships. Think of it as seeing your vendors’ attack surfaces the way a hacker does.
Tip: Set automated alerts that are triggered when a vendor’s security posture changes or deviates from pre-agreed risk thresholds or contractual SLAs.
4. Automate vendor due diligence processes
According to Forrester, 69% of businesses rely on manual processes for their third-party risk management (TPRM) program. This limits your team’s productivity and impacts the quality of your work, potentially exposing your organization to increased cyber risk.
Instead, find ways to automate and right size the process of assessing cyber risk across your extended supply chain – quickly and with confidence.
BitSight can help accelerate this process. Through our pending acquisition of ThirdPartyTrust, whose comprehensive TPRM tool expands on our own supply chain cyber risk management offering, we can deliver an integrated, end-to-end solution that lets you:
- Get more done with the resources you have: Fully automate vendor risk assessments without increasing headcount.
- Drive results with customized workflows: Enhance and customize your vendor due diligence process with automation, centralized document storage, and risk assessment workflows that go beyond one-size-fits-all approaches to vendor due diligence.
- Build a complete TPRM program with objective intelligence: Quickly discover and mitigate unforeseen cyber risk across your extended vendor landscape, then share that information with stakeholders.
- Build trust with meaningful metrics that scale: Easily validate your vendors’ responses to security questionnaires and quickly identify red flags with powerful security performance data analytics.
With increased confidence comes increased trust
With improved insight, you can reveal the true nature of a vendor’s security maturity. With a full view of your vendors’ cyber health, you can make informed decisions about the risk you’re willing to accept, which vendors require more frequent security touchpoints, and keep your supply chain as secure as possible.
Learn more about how BitSight + ThirdPartyTrust can help you make TPRM risk decisions with confidence.