When using dozens, hundreds, even thousands of vendors, how safe is a company’s digital assets? According to a recent Ponemon Institute study, almost half of respondents (49%) said that they had experienced a data breach caused by a vendor that resulted in a loss and misuse of sensitive or confidential information.
Cyber risk — which is the risk of financial loss, disruption or damage to an organization’s reputation from an attack of IT systems — is proving costly to American companies. According to Business Insider, the average cost of a data breach is $6.53 million. The amount gets more staggering when coupled with the previous statistic that almost half of companies report vendor-caused breaches.
“No institution has the resources to completely eliminate cyber risks,” said Leslie Chacko, Evan Sekeris and Claus Herbolzheimer, in a recent article from the Harvard Business Review. “That means helping businesses to make the right strategic choices regarding which threats to mitigate is all the more important. But right now, these decisions are made based on an incomplete understanding of the cost of the various vulnerabilities. Organizations often fail to take into account all of the possible repercussions, and have a weak grasp of how the investments in controls will decrease the probability of a threat. It’s often unclear whether they are stopping a threat or just decreasing its probability — and if so, by how much?”
Three Areas of Cyber Risk
To mitigate cyber risk, a company needs to constantly monitor three distinct areas, both internally and externally:
- Events, such as malware and ransomware infections on the company or vendor network.
- Diligence, which shows how well your security team or the IT team is patching vulnerabilities and keeping up to date with the most effective security practices.. For example, a company or vendor without a TLS or SSL certificate shows a lack of security diligence. And if the company or vendor doesn’t have a strong level of encryption, that’s also a good indicator of how insufficient its security program might be.
- User behavior, which is how well employees are trained on cyber risk. For example, do employees know not to click on malicious links in emails? Are they illegally downloading files on a company network?
Continuous Risk Assessment when Selecting Vendors
One way to help measure cyber risk is with a continuous risk assessment tool. Continuous risk assessment allows for ongoing awareness of information security, vulnerability and threats that a company or a vendor may pose. BitSight Security Ratings lets you monitor events, diligence and user behavior in real-time, so threats and warnings are immediate. Other benefits of security ratings include:
- Validation regarding the truth to a vendor’s security posture. It’s not about what vendors tell you they are doing — it's about what continuous risk assessment shows you that they are doing in real time.
- Keeping current and knowing security trends as they happen in order to be better prepared.
- Alerts that help you assess a vendor’s vulnerability in real time.
- The ability to pre-assess a vendor’s cyber risk before onboarding.
Above all, security ratings raises awareness of issues long before traditional solutions, such as audits or checklist assessments, which are typically performed quarterly or annually. For example, if an event such as malware or spam is detected, the vendor’s rating will be downgraded due to their inherent risk, and the company monitoring their BitSight Security Rating solution can be alerted about that vendor’s new security posture.
- See the level of security risk that vendors pose before engaging with them.
- Track vendors’ security performance. You might have a short list of vendors you want to work with. With BitSight Security Ratings, you can factor the security performance of the vendor before making a decision to start a relationship. Even if you choose a vendor but haven’t begun detailing all the contracts, you can still monitor its security.
- Continuously monitor their security performance throughout the lifecycle of your relationship with them.
- Terminate a vendor based on security performance. For example, if a vendor experiences a breach and doesn’t notify you or is constantly under-performing with its security rating, continuous risk assessment protects your data while giving you good reason to end the relationship.
BitSight lets companies purchase a one-time security rating report that can be used for assessing cyber risk and vendor selection. For example, a BitSight report will tell you if there is an infection on the vendor’s network and how long it’s been there. If you are looking at a vendor and see the infection has been active for 30 days, that’s a clear red flag that the vendor’s security program may be unacceptable.
Companies may have a cyber risk management program either internally or vendor facing only because they are included in some form of compliance and regulatory program, such as PCI, HIPAA or being audited by the FDIC or other external body. Mapping your continuous monitoring data to standards such as NIST and PCI will become a must in the future as it becomes harder to ascertain the accuracy your vendor’s security posture.
Traditionally, companies dealt with cyber risk because of regulatory requirements and not because of their board mandating them to do so. That certainly still remains true, but more companies are looking for cyber risk solutions because the changing threat landscape dictates it. And that’s what continuous risk assessment does: As cyber risk changes and evolves, your ability to measure the vulnerability of your vendors must evolve as well, and that’s what the BitSight solution does.
For more information about security ratings, visit bitsight.com, or download its guide: A Security Manager’s Guide to Vendor Risk Management.