Third-Party Security: How To Successfully Monitor For Potential Breaches

Melissa Stevens | June 2, 2016 | tag: Vendor Risk Management

Recently, BitSight commissioned Forrester Consulting to examine the practices of IT decision-makers as they relate to third party monitoring and managing third-party risk. From the survey, we learned that 59% of IT decision-makers indicated a desire to track and monitor third-party security—but only 22% were tracking with monthly, weekly, daily, or real-time frequency.

So while many professionals want to monitor the security of their vendors, less than a quarter of them do so with any regularity. If you are interested in monitoring your third parties more regularly for potential breaches but don’t know how, we’ve laid out four ways you can get started today.

1. Make sure you (or your employees) have the bandwidth.

Simply put, you cannot improve your third-party security and effectively monitor for Continuous Third Party Security Monitoring Powers Business Objectives And Vendor Accountabilitypotential breaches without having the employee bandwidth to do so. If you have an excellent cybersecurity monitoring tool—which we’ll discuss next—you’ll likely only need one employee that has access to alerts about security posture changes. This individual can then send on any updates to the necessary parties.

If you don’t have the capacity for a monitoring tool or system, you’ll likely need several employees who are working through the monitoring of your vendors. Consider how many vendors you need to monitor and the frequency you’d like to monitor them. Talking to and filling out spreadsheets for each vendor every week could be a serious time constraint.

2. Choose a tool that allows for continuous monitoring.

As previously mentioned, having the right third-party security tool makes all the difference. If you can find a system or security tool that enables you to monitor your third parties in real time—or at least daily—that’s ideal. Real-time monitoring is what you need to keep up with today’s cyberthreats.

BitSight, for example, allows you to monitor your vendors’ security ratings, which gives you a good indication of their overall security posture. If that number changes—for better or for worse—you’ll have a good sense of whether or not your third parties are putting adequate controls in place to protect your data and improve their security.

3. Monitor large attack vectors.

Another important variable of third-party security is identifying any imminent threats or areas of weakness. One area to pay close attention to is how well your vendors and suppliers are doing with mitigating the risk of high-profile SSL vulnerabilities like Poodle, Freak, and Heartbleed. These have all been around for a while now, so there’s no reason that they shouldn’t be patched.

4. Lower event remediation times.

In order to lower event remediation times, you first need to set a baseline. To do so, you’ll want to determine how many vulnerabilities your vendors have in their systems that are yet to be patched—and then determine how quickly they’re able to patch or remediate them.

To understand the importance of patching cadence, consider how critical it is when installing new software. When a new update comes out for a system you already have in place, it likely has bugs or vulnerabilities that will be found after deployment. Patches for these vulnerabilities become available regularly, but they don’t do any good unless they’re applied right away. This is critical for your third-party security.

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.