Companies must build a “trust and verify” strategy when it comes to managing third party risk. Requesting documentation about a supplier’s security performance is good – but how can you verify it? How can you continuously review performance?
These are important issues facing organisations today and the bottom line is that organisations can follow every best practice in the cyber security book— but their third parties must follow through with the same security obligations so that the supply chain is protected from risk. Companies must continuously assess and review the security posture and performance of all partners, in order to gain visibility in the changing threat landscape, and to prioritise risk-mitigating actions. As vendor ecosystems continue to expand, the importance of having the tools in place to analyse third, fourth and even fifth-party risk, has never been higher than it is today.
But where do you start?
A good approach is to tier your third parties based on criticality – prioritise your efforts with those who have access to the most sensitive data or are providing the most important services. To get immediate insight, leverage publicly available data contained in a security rating, for example – it will give you broad and deep insight into a variety of risk areas. Realise that it is not just third-party risk that creates issues – partner with your third parties and leverage data and automation to get a better understanding of the 4th, 5th, and Nth party risks.
This is exactly what Bayer, one of the largest life science companies in the world, has just done. Headquartered in Leverkusen, Germany, Bayer is a global enterprise with core competencies in the Life Science fields of health care and agriculture.
This involved the organisation kicking off a programme to streamline the work they were doing to better understand the cybersecurity posture of these vendors. Bayer considered different solutions like sending out questionnaires or audit and concluded those methods requires a substantial internal effort which needed to be narrowed down only where substantial risks lies. Bayer realised that addressing its top vendor ecosystem coupled with a dynamic, automated and continuous method of obtaining data would be the most efficient solution.
It therefore approached Bitsight with a view to using our security ratings platform. Issuing daily ratings that are akin to a credit score for security, we help companies flag not only their own risks but also those of the companies they do business with, such as vendors, partners, suppliers and acquisition targets.
The Bitsight platform provides Bayer a rating between 250 and 900, which is continuously updated based on the data observed; the higher the rating, the better the vendor’s security posture. This programme has now commenced and will be evaluated after six months, but the team at Bayer is convinced that they will quickly see the benefits.
Using the Bitsight platform Bayer now has data-driven, dynamic measurements of the cyber security performance of its third-party vendors. This data is derived from objective, verifiable information providing material and validated measurements. This will give Bayer the confidence to make faster, more strategic cyber risk management decisions.