In today’s day and age, organizations understand that data breaches are a growing problem, but many fail to realize that a third party breach can impact them as much as a breach on their own network. Here we’ll examine several misconceptions surrounding vendor risk management (VRM), and how you can proactively create a strategy to avoid common pitfalls.
The Spread of Third Party Breach Disruptions
In October of 2016, multiple distributed denial-of-service (DDoS) attacks took place and targeted systems operated by the Domain Name System (DNS) provider Dyn. These massive attacks rendered major Internet platforms and services to be unavailable to large groups of users in both Europe and North America. In fact, 3,500 companies had at least one domain using Dyn, and 500 companies used Dyn for 100% of their domains. While not many knew of Dyn, a significant number of companies were impacted by this attack. This is a strong example of a hidden aggregate risk issue; one relatively unknown service provider ended up impacting a large number of companies, many of which could be in your vendor ecosystem.
The Dyn attacks reinforced the fact that these large scale disruptions are becoming more and more common. Now consider the WannaCry attack from March of this year, where hackers held hundreds of companies’ information at ransom and left organizations scrambling to ensure that their vendors were not affected. Many companies have been left wondering whether a third party with a weak security posture can make their own data vulnerable to attacks.
You may be thinking, “this does not affect me or my third parties.” The truth is, third party risk affects nearly every single company. There are several other misconceptions around VRM:
So, why does this matter? Consider the Board of Directors. Because they are laser-focused on the health of the company, they are increasingly asking about cybersecurity and vendor security. This is driven by the increasing frequency of data breaches. The 2013 Target breach, for example, caused Board members everywhere ask, “could this happen to us?”
An increasing number of security leaders are being asked to present to executives on their security and risk programs. If CISOs can’t accurately represent the health of the company’s cybersecurity, they may not be able to fight for larger budgets and align the goals of cybersecurity with the goals of the business. This is a VRM blind spot: lack of reporting may lead to lack of budget, which will create gaps in your risk management approach.
In addition to the Board, regulators are also asking key questions about third party risk management. In fact, there have been quite a few regulations recently that have changed the regulatory landscape. Here are just a few regulations and frameworks to monitor over the next year:
Despite the common misconceptions associated with third party risk management, what can you do to avoid VRM pitfalls?
Organizations are only as strong as their vendors. Today, it’s critical that companies evaluate the security of both third and fourth parties, and tailor their actions around implementing a vendor risk management strategy to avoid being impacted by blind spots.
Check out this Q&A with a US-based member of BitSight's Customer Success team to learn about her role as an BitSight Advisor & Customer Success Manager, her experience, and more.
Check out this Q&A with a London-based member of BitSight's Customer Success team to learn about her role as an Customer Success Manager, her experience, and more.
Check out this Q&A with a Lisbon-based member of BitSight's Customer Success team to learn about her role as an EMEA Customer Success Manager, her experience, and more.
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469