You can’t go more than a few weeks (or sometimes a few days) without hearing about yet another company whose data was compromised after hackers gained access through a third-party vendor. These attacks show thatit’s no longer enough to secure only your own network from cyber attacks—you have to ensure your vendor networks are secured as well.
To ensure that you’re protected from vendor risks—particularly as they apply to cybersecurity—follow the five steps below.
Vendor Risks: 5 Ways To Improve Third-Party Cybersecurity
1. List all of your vendors and third parties.
Don’t write this step off as being simplistic; no vendor relationship should be considered inconsequential. With the help of department heads around your organization, make a thorough list of every vendor, third party, contractor, business unit, and partner you work with, no matter how minor the connection may seem.
2. Tier the listed vendors based on criticality.
Based on the impact a breach would have on your company, sort vendors into three categories—high,medium, andlowrisk. You’ll have to determine the assessment criteria yourself, but you should consider the following for certain:
How much access the vendor has to your data.
The sensitivity of the data your vendor has access to.
How critical the vendor’s work is to your daily operations.
3. Assess the security of your most critical vendors.
At this point, you know which vendors you consider highest risk—emphasize security assessments for those vendors first. There are a few ways you can go about assessing their security:
Perform a technical scan.Penetration tests and vulnerability scans provide a deep, technical analysis of your vendor’s network.
Ask them to fill out a questionnaire.Many companies use standard vendor questionnaire lists like those from Shared Assessments to start, then add additional questions specific to their own organization.
Send someone to do an on-site visit.A representative from your organization may interview the vendor personally based on questions fromISO 27001orNIST Special Publication 800-53to get a better understanding of that vendor’s security.
4. Make sure all your vendor contracts clearly define cybersecurity expectations.
If your cybersecurity expectations for your third parties aren’t crystal clear, you’re increasing your vendor risk dramatically. Consider what you want your vendors to be held accountable for, and work with your legal team to ensure all future contracts lay out these expectations clearly. For example, you may want to hold your vendors to an industry-specific compliance standard or add breach notification requirements. You’ll also need to return to previous contracts to ensure this language is present, and renegotiate those where it is not.
5. Use ongoing monitoring software for the highest level of protection.
As we mentioned, traditionalvendor risk managementstrategies like penetration tests and questionnaires have their merits and shouldn’t be discounted—but these tools can only capture the security of a vendor at the moment the test is performed. Cybersecurity is constantly evolving—which is why employing the use of a continuous monitoring tool like BitSight is so important. When you useBitSight’s Security Ratings, you’ll know almost immediately when a vendor’s network changes so they can begin remediating any issues right away.
Want a list of the questions you should be asking your vendors?
This free guide outlines just that, along with risk vectors and configurations you should know about, and more.Download it todayto keep your vendor risk initiatives going strong!
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...