Recently, BitSight commissioned Forrester Consulting to examine the practices of IT decision-makers as they relate to third party monitoring and managing third-party risk. From the survey, we learned that 59% of IT decision-makers indicated a desire to track and monitor third-party security—but only 22% were tracking with monthly, weekly, daily, or real-time frequency.
So while many professionals want to monitor the security of their vendors, less than a quarter of them do so with any regularity. If you are interested in monitoring your third parties more regularly for potential breaches but don’t know how, we’ve laid out four ways you can get started today.
1. Make sure you (or your employees) have the bandwidth.
Simply put, you cannot improve your third-party security and effectively monitor for
potential breaches without having the employee bandwidth to do so. If you have an excellent cybersecurity monitoring tool—which we’ll discuss next—you’ll likely only need one employee that has access to alerts about security posture changes. This individual can then send on any updates to the necessary parties.
If you don’t have the capacity for a monitoring tool or system, you’ll likely need several employees who are working through the monitoring of your vendors. Consider how many vendors you need to monitor and the frequency you’d like to monitor them. Talking to and filling out spreadsheets for each vendor every week could be a serious time constraint.
2. Choose a tool that allows for continuous monitoring.
As previously mentioned, having the right third-party security tool makes all the difference. If you can find a system or security tool that enables you to monitor your third parties in real time—or at least daily—that’s ideal. Real-time monitoring is what you need to keep up with today’s cyber threats.
BitSight, for example, allows you to monitor your vendors’ security ratings, which gives you a good indication of their overall security posture. If that number changes—for better or for worse—you’ll have a good sense of whether or not your third parties are putting adequate controls in place to protect your data and improve their security.
3. Monitor large attack vectors.
Another important variable of third-party security is identifying any imminent threats or areas of weakness. One area to pay close attention to is how well your vendors and suppliers are doing with mitigating the risk of high-profile SSL vulnerabilities like Poodle, Freak, and Heartbleed. These have all been around for a while now, so there’s no reason that they shouldn’t be patched.
4. Lower event remediation times.
In order to lower event remediation times, you first need to set a baseline. To do so, you’ll want to determine how many vulnerabilities your vendors have in their systems that are yet to be patched—and then determine how quickly they’re able to patch or remediate them.
To understand the importance of patching cadence, consider how critical it is when installing new software. When a new update comes out for a system you already have in place, it likely has bugs or vulnerabilities that will be found after deployment. Patches for these vulnerabilities become available regularly, but they don’t do any good unless they’re applied right away. This is critical for your third-party security.