What is Inherent Cyber Risk? How to Establish an Acceptable Level of Supply Chain Risk

Measuring an acceptable level of supply chain risk

To remain competitive, your business works with dozens if not hundreds of third-party vendors. Some of these will have direct access to your network and data, such as payroll companies and software providers.

But each vendor connected to your network brings cyber risk. Take for instance the 2020 Solarwinds breach in which Russian threat actors hacked Solarwinds’ Orion software and inserted malware into the update function. From there they breached multiple targets who rely on the Orion platform—including the U.S. government.

When working with third parties, cyber risk is a key area of due diligence. But with so many companies in your vendor portfolio or waiting to be onboarded, it can be hard to scale your efforts using existing resources. However, you can work more efficiently if you determine the level of inherent cyber risk your organization is comfortable taking on and evaluate your vendors accordingly.  

Let’s look at three ways you can do that.

1. Determine the type of network and data access each vendor has

The first step to understanding the inherent cybersecurity risk that each vendor poses is to conduct an inventory of your third-party relationships.

It sounds logical, but with an uptick in shadow IT and cloud services, two thirds of companies fail to maintain a vendor inventory. Without one it is hard to grasp the complex web of interconnected business relationships in your digital supply chain and the level of data and network access granted to each of your vendors.

One way to overcome this challenge is to continuously monitor your extended digital ecosystem. For instance, with Bitsight you can quickly discover the vendors you do business with – and their relationships with subcontractors. With this insight, you can discover which vendors have access to what systems, track the flow of sensitive data across your supply chain, and identify risky business connections – such as third, fourth, and nth parties who have less than stellar security postures.

From here, you can tier your vendors based on how closely they work with company data and establish standards for evaluating those in the top tier instead of wasting resources on lower-tier vendors that don’t have access to sensitive information.

2. Gain visibility into a vendor’s prior cybersecurity performance

The historical security performance of your third parties is a useful indicator of future performance. A vendor might not have had a cyber incident or data breach in the past year, but what if they suffered a serious breach in each of the five years prior?

Unfortunately, this information can be hard to glean. Questionnaire-based cyber security assessments are helpful, but the information provided by third parties is often subjective and risk managers must take each vendor at their word.

A better way to determine a vendor’s historical security performance is to use Bitsight for Third-Party Risk Management. In addition to detecting cyber risk in a vendor’s current digital environment – such as vulnerabilities and malware – Bitsight reflects their overall security performance. Analyzing historical data can help your security and risk management teams determine if a vendor requires more diligent assessment during the onboarding process or more frequent audits through the contract term.


40 questions vendor risk ebook

With this ebook, we'll help you prioritize which vendors need the most attention with an in-depth security assessment – such as those with low security ratings, or critical vendors that maintain constant contact with your company’s systems. 

3. Set acceptable levels for inherent cyber risk

Another way to establish the risk you’re willing to take with your vendors is to set an acceptable risk threshold and pre-screen proposed vendors accordingly. For instance, using Bitsight for Third-Party Risk Management–which relies on the Bitsight Security Ratings platform–you can set clearly defined baselines for acceptable risk.

Security ratings, which range from 250 to 900, are updated daily to provide unprecedented visibility into a vendor’s security posture. Use these insights to establish acceptable risk thresholds for vendors in each tier and develop language, such as cybersecurity SLAs, to ensure they consistently meet these thresholds. For instance, those with lower ratings may require more stringent security controls to ensure that they meet predetermined risk thresholds throughout the life of your contracts.

If Bitsight detects that a vendor’s security rating dips below the established threshold, you can reach out to that vendor, share Bitsight’s findings, and collaborate more effectively to mitigate cyber risk.

Learn more about how you can better evaluate vendor risk by adding these tools to your cyber risk management toolkit.