Managing cyber risk is more than just monitoring your own network for vulnerabilities and threats – you are just as prone to network attacks stemming from third parties. According to the 2022 Verizon Data Breach Investigations Report, 62% of network intrusions came through an organization’s partner.
If you’re just beginning to develop your third-party risk management (TPRM) program, here are five vendor cybersecurity practices to get you started.
1. Hold vendors accountable to a security standard
Before you onboard new vendors, set a minimum acceptable risk threshold that a third party must achieve to be considered a partner.
One way to do this in a consistent and uniform way is to use a security rating. Bitsight Security Ratings, which range from 250 to 900, provide a data-backed view of a vendor’s cybersecurity posture. If a vendor has a lower rating, they may require a more in-depth assessment than those that meet your risk threshold. For example, a payroll provider or cloud service provider may need to be held to a higher cybersecurity standard than, say, an office supplies company.
Tip: Click here to see average security ratings by industry, and then use this insight to inform your vendor risk thresholds.
Once you’ve established a risk threshold for your vendors, incorporate that metric into your vendor contracts alongside other operational service level agreements (SLAs). Then, use TPRM tools to alert you if a vendor’s security posture drops below pre-agreed thresholds.
2. Validate vendor responses with objective data
Security questionnaires are a tried-and-tested way to assess a vendor’s security posture during the onboarding process. But questionnaires have key limitations:
- They only provide a snapshot of risk.
- They are subjective and require you to take your vendors at their word.
- They tend to be one-size-fits-all – meaning that less-critical vendors are asked the same questions as critical vendors, creating more work for risk assessment teams.
Questionnaires are important, but it’s critical that you validate them with objective, data-driven insights. Rather than relying on your vendors’ claims, use a tool like Bitsight for Third-Party Risk Management to assess your suppliers’ risk postures with objective data about vulnerabilities in their networks, previous cyber incidents, and risky fourth-party connections.
Using this insight, you can easily prioritize those vendors that need a more in-depth assessment rather than wasting time conducting a deep dive into each vendor’s risk profile.
3. Continuously monitor your vendors throughout the contract lifecycle
Your risk assessment efforts don’t end once the contracts are signed. Because cyber risk is constantly evolving, it’s critical that you maintain a pulse on your vendors' changing risk profiles over the course of the contract lifecycle.
You can achieve that goal without the need for frequent and time-consuming cybersecurity audits. Using Bitsight TPRM, you can monitor your vendors’ cyber health automatically and continuously. A handy dashboard displays each vendor’s risk profile. Plus, you’ll receive alerts when new risk – such as a misconfigured system or insecure access port – is found, or when a vendor’s risk posture drops below contractual SLAs.
4. Collaborate with your vendors using shared views of risk
Because risk management is a collaborative process, you can share Bitsight’s findings with your vendors so they can view hidden risk in their network.
With Bitsight’s Enable Vendor Access feature, vendors can monitor their security ratings, discover vulnerabilities, and get actionable recommendations about how they can strengthen their network security.
5. Organize vendor data and assessments
There are many tools you can use to reduce risk throughout the vendor lifecycle, but that can require third-party risk professionals to jump among disparate tools to find the information they need. That makes prioritization confusing and time-consuming. Worse, risky vendors could slip through the cracks.
A better way to improve decision-making is to organize your vendor data and assessments in a unified tool. For instance, Bitsight Vendor Risk Management (VRM) is a new tool that addresses the evolving needs of risk managers. Bitsight VRM’s comprehensive capabilities span all aspects of vendor risk management with one fully integrated solution. And, with objective evidence supporting validation of vendor responses, Bitsight VRM lets you make more informed decisions faster.