third party risk management

Understanding a Vendor’s Cybersecurity Risk

Kim Johnson | April 20, 2020

Did you know that, according to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or third parties? During these uncertain times, when many industries are shifting to an increasingly remote workforce, organizations may feel pressure to accommodate new business requirements by onboarding new technology faster. However, given the frightening implications of a potential breach — and the fact that phishing attacks and other cyber scams are on the rise due to the ongoing coronavirus pandemic — it’s more important than ever that you consider a potential vendor’s cybersecurity posture before you sign on the dotted line.

Quantify cyber risk with security ratings

In the past, you may have relied on methods such as internal assessments, third-party audits, and penetration tests to evaluate and quantify cyber risk in your vendor network. But all of these tactics share a few common flaws. They tend to be extremely resource-intensive — and provide only static, point-in-time results. In addition, these methods are subjective and produce highly technical metrics that can be difficult to explain to executives.

As security ratings provide a real-time, data-driven, and objective measure of security performance, they are the ultimate solution for achieving visibility into a third party’s risk. Unlike a point-in-time snapshot, BitSight Security Ratings are updated daily, so you can track how your vendors’ security posture is changing over time. By using this type of standard, easily understandable KPI, you can streamline and simplify the process of setting vendor security goals, monitoring shifts, and reporting back to the broader team on progress or areas of concern.

Define your acceptable risk thresholds

Before you begin evaluating a potential vendor’s cybersecurity posture, it’s important to partner with your legal, finance, and compliance teams to define what you consider to be an acceptable risk threshold. Of course, your business relationship differs from vendor to vendor — and so you should refrain from setting one standard risk threshold for your entire network.

Instead, group or “tier” your vendors by criticality and then work with your team to determine an acceptable risk threshold for each group. For example, you may want to grant a higher level of risk tolerance to less critical vendors that hold no data or don’t have access to your corporation’s network, versus critical vendors that hold a great deal of data or maintain constant contact with your company’s systems. Make sure to establish criteria both for the total risk posed by the vendor as well as the threat posed by individual factors of their security posture.

Which risk factors should you consider?

When evaluating a potential vendor’s security posture, you should focus your efforts on a few key indicators of performance:

1. Compromised systems

Compromised systems are those that represent evidence of successful cyber attacks. Although a compromised system does not necessarily equate to data loss, each one is an indication that the vendor has been compromised in some manner. At BitSight, we identify and classify compromised systems into the following risk types: botnet infections, spam propagation, malware servers, potentially exploited machines, and unsolicited communications. As compromised systems are most correlated to the potential for breach, it’s critical that you assess whether any devices within a potential vendor’s network are infected with malware.

2. Diligence

Data points in this category indicate whether a particular third-party has taken steps to prevent an attack. In an effort to measure a vendor’s effectiveness in implementing the necessary controls, BitSight analyzes security configurations and protocols associated with risk vectors such as open ports, patching cadence, and insecure systems. On your end, you should assess, for example, whether a potential vendor has proper email server configuration — as this can help prevent email-related attacks and indicate that the organization in question has good risk management practices in place.

3. User behavior

Within this particular category, you should examine any user activities that have the potential to introduce malicious software into your corporate network. At BitSight, we highlight the following two risk types when classifying user behavior: file sharing and exposed credentials. When evaluating a potential vendor, consider whether employees of the company in question leverage peer-to-peer exchange protocols for sharing media and software — as these practices can make a network more susceptible to malware infections.

4. Data breaches

Of course, before entering into a new vendor partnership, it’s critical to know whether that organization has any recent history of breach for which they were at fault for the data loss. BitSight collects information about publicly disclosed breaches from a variety of news sources and data breach aggregations services — so you’ll always have this information at your disposal when conducting your third-party risk management assessments.

Streamline your vendor assessment with security ratings


As your vendor network grows, so does your attack surface. In order to protect the assets in your expanding digital ecosystem, it’s critical for you to ensure that all of your third-party partners meet your security standards and conduct the necessary due diligence. With a standard KPI like security ratings, it’s easier than ever for you to assess a potential vendor’s cybersecurity posture throughout your business partnership — saving you valuable time and resources.

Interested in learning more? Check out our new guide, 4 Ways to Optimize Your Vendor Onboarding Process With BitSight Security Ratings.

New call-to-action

Suggested Posts

How and When to Reassess Your Vendor’s Cybersecurity Posture

From a security perspective, your work isn’t done when a new vendor signs on the dotted line. After the onboarding process is complete, you must implement continuous monitoring practices to ensure your new third-party maintains the desired...

READ MORE »

Vendor Contract Do’s and Don’ts

According to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or third parties — while only 16% claim they effectively mitigate third-party risks. Don’t be a part of these...

READ MORE »

How to Determine the Right Level of Vendor Assessment

When onboarding new vendors, it takes the median company an average of 90 days to complete due diligence — 20 days longer than it did four years ago, according to Gartner. In a competitive business climate where speed can be the difference...

READ MORE »

Subscribe to get security news and updates in your inbox.