Understanding a Vendor’s Cybersecurity Risk

Kim Johnson | April 20, 2020 | tag: Third Party Risk Management

Did you know that, according to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or third parties? During these uncertain times, when many industries are shifting to an increasingly remote workforce, organizations may feel pressure to accommodate new business requirements by onboarding new technology faster. However, given the frightening implications of a potential breach — and the fact that phishing attacks and other cyber scams are on the rise due to the ongoing coronavirus pandemic — it’s more important than ever that you consider a potential vendor’s cybersecurity posture before you sign on the dotted line.

Quantify cyber risk with security ratings

In the past, you may have relied on methods such as internal assessments, third-party cyber security audits, and penetration tests to evaluate and quantify cyber risk in your vendor network. But all of these tactics share a few common flaws. They tend to be extremely resource-intensive — and provide only static, point-in-time results. In addition, these methods are subjective and produce highly technical metrics that can be difficult to explain to executives.

As security ratings provide a real-time, data-driven, and objective measure of security performance, they are the ultimate solution for achieving visibility into a third party’s risk. Unlike a point-in-time snapshot, BitSight Security Ratings are updated daily, so you can track how your vendors’ security posture is changing over time. By using this type of standard, easily understandable KPI, you can streamline and simplify the process of setting vendor security goals, monitoring shifts, and reporting back to the broader team on progress or areas of concern.

Define your acceptable risk thresholds

Before you begin evaluating a potential vendor’s cybersecurity posture, it’s important to partner with your legal, finance, and compliance teams to define what you consider to be an acceptable risk threshold. Of course, your business relationship differs from vendor to vendor — and so you should refrain from setting one standard risk threshold for your entire network.

Instead, group or “tier” your vendors by criticality and then work with your team to determine an acceptable risk threshold for each group. For example, you may want to grant a higher level of risk tolerance to less critical vendors that hold no data or don’t have access to your corporation’s network, versus critical vendors that hold a great deal of data or maintain constant contact with your company’s systems. Make sure to establish criteria both for the total risk posed by the vendor as well as the threat posed by individual factors of their security posture.

Which risk factors should you consider?

When evaluating a potential vendor’s security posture, you should focus your efforts on a few key indicators of performance:

1. Compromised systems

Compromised systems are those that represent evidence of successful cyber attacks. Although a compromised system does not necessarily equate to data loss, each one is an indication that the vendor has been compromised in some manner. At BitSight, we identify and classify compromised systems into the following risk types: botnet infections, spam propagation, malware servers, potentially exploited machines, and unsolicited communications. As compromised systems are most correlated to the potential for breach, it’s critical that you assess whether any devices within a potential vendor’s network are infected with malware.

2. Diligence

Data points in this category indicate whether a particular third-party has taken steps to prevent an attack. In an effort to measure a vendor’s effectiveness in implementing the necessary controls, BitSight analyzes security configurations and protocols associated with risk vectors such as open ports, patching cadence, and insecure systems. On your end, you should assess, for example, whether a potential vendor has proper email server configuration — as this can help prevent email-related attacks and indicate that the organization in question has good risk management practices in place.

3. User behavior

Within this particular category, you should examine any user activities that have the potential to introduce malicious software into your corporate network. At BitSight, we highlight the following two risk types when classifying user behavior: file sharing and exposed credentials. When evaluating a potential vendor, consider whether employees of the company in question leverage peer-to-peer exchange protocols for sharing media and software — as these practices can make a network more susceptible to malware infections.

4. Data breaches

Of course, before entering into a new vendor partnership, it’s critical to know whether that organization has any recent history of breach for which they were at fault for the data loss. BitSight collects information about publicly disclosed breaches from a variety of news sources and data breach aggregations services — so you’ll always have this information at your disposal when conducting your third-party risk management assessments.

Streamline your vendor assessment with security ratings


As your vendor network grows, so does your attack surface. In order to protect the assets in your expanding digital ecosystem, it’s critical for you to ensure that all of your third-party partners meet your security standards and conduct the necessary due diligence. With a standard KPI like security ratings, it’s easier than ever for you to assess a potential vendor’s cybersecurity posture throughout your business partnership — saving you valuable time and resources.

Interested in learning more? Check out our new guide, 4 Ways to Optimize Your Vendor Onboarding Process With BitSight Security Ratings.

New call-to-action

Suggested Posts

Template: Everything you Need to Craft a Supplier Risk Management Plan

Third-party vendors are a vital part of your business ecosystem. But if you’re not careful, these companies can introduce cyber risk. The SolarWinds supply chain hack is a notable example of the jeopardy that even the most trusted...

READ MORE »

What We Can Learn About Backdoor Attacks From WordPress

Millions of organizations world-wide rely on WordPress for website creation and management. In fact, currently there are over 75 million sites that use WordPress for their operations. The Walt Disney Company, BBC America, Microsoft...

READ MORE »

Why The DOD Is Making Cybersecurity Maturity Evaluation Mandatory (And Why You Should Too)

Government agencies in the United States are yet again suffering from a widespread data hack, this time originating from Microsoft Exchange servers. This breach comes less than five months after the SolarWinds breach exposed...

READ MORE »

Subscribe to get security news and updates in your inbox.