Learn how to adapt to the continuously changing risk environment with an efficient, continuous risk monitoring strategy.
If your organization is entering into a relationship with a vendor or partner, vendor due diligence is key to mitigating third-party risk. Vendor due diligence allows risk management and compliance teams to make informed decisions about who your organization does business with and protect it against potential liabilities, such as exposure to corruption laws or reputational impacts.
Performing vendor due diligence around third-party relationships has become increasingly important. As your business increases its reliance on third parties, it’s critical that these vendors are vetted thoroughly for cyber risk.
What is vendor due diligence in cyber security?
During the third-party onboarding process, it is a security professional’s job to evaluate a potential vendor’s security policies and practices.
Typically, this screening process might follow a pre-agreed “new vendor due diligence” checklist or assessment. However, this can introduce frustrating delays or procedural roadblocks into the onboarding process. Security risk assessments (which may include risk assessment questionnaires, penetration testing, and even site visits) are time-consuming and hard to scale across the dozens if not hundreds of vendors that your organization works with. According to Gartner, 60% of organizations work with more than 1,000 third parties.
This type of vendor due diligence in cyber security is often a one-and-done process that can expose your organization to vulnerabilities. That’s because point-in-time assessments fail to account for evolving risk and changes in your vendors’ cybersecurity postures, leaving you open to possible cyberattacks.
How can you adapt your processes to streamline vendor due diligence in cyber security? Let’s look at four best practices.
4 best practices for vendor due diligence in cyber security
1. Tier vendors by criticality
One way to save time during vendor onboarding due diligence is by grouping or tiering your vendors based on how critical they are to your organization. For example, a company that provides an important service or has access to your sensitive data would be a higher priority than a company that does not have immediate access to proprietary information or performs a mission-critical function.
Instead of adopting a one-size-fits-all approach to the evaluation process, tiering helps you determine whether a vendor needs a more in-depth assessment – such as a site visit -- or requires fewer touchpoints.
Tiering requires consultation with your legal, finance, and compliance teams, but you can fast track the process using BitSight’s tier recommender service. The service uses tiering best practices and provides a suggested tier for each vendor – saving more time and effort on your part.
2. Evaluate third-party cyber security risk using security ratings
Once you’ve tiered your third parties, it’s time to conduct vendor due diligence into their security postures.
Instead of relying on traditional, resource-intensive vendor evaluations, you can expedite this process using BitSight Security Ratings.
These ratings, which range from 250 to 900, empower you by comparing vendors’ security profiles side-by-side and allow you to prioritize them according to risk – with a higher score suggesting a stronger security posture. Unlike point-in-times snapshot assessment practices, ratings are updated daily to provide unprecedented visibility into a vendor’s security posture.
With this insight, you can go beyond your initial tiering and further prioritize which vendors need the most attention. You may decide, for example, that the assessment process for vendors with high security ratings may not need to be as rigorous, while the process for vendors with lower ratings could be more thorough.
3. Set acceptable cyber security risk thresholds
You also can use BitSight Security Ratings to establish acceptable risk thresholds and develop language to ensure that your entire third-party network meets these thresholds.
For example, you might consult with your legal and finance teams to put extra contractual controls in place based on the rating of a particular vendor. Those with lower ratings may require more stringent cybersecurity controls to ensure that they meet your acceptable risk threshold.
Once you have established this threshold, continue to collaborate with legal to devise policies and enforceable contract language, such as cyber security SLAs, to ensure compliance throughout the life of your contracts.
Work with the team to develop a cybersecurity remediation plan in case a vendor dips below the established threshold, and then engage in ongoing monitoring to ensure that the third parties in your vendor network continue to hold up their ends of the security bargain.
4. Monitor your vendors continuously
Vendor due diligence doesn’t end once the contract is signed. It’s critical that you stay aware of the security postures of your vendors throughout the remainder of your partnerships.
BitSight allows you to set the appropriate level of monitoring based on a vendor’s closeness to sensitive company data. You can also set alerts for when a vendor’s rating changes and create rules that define when a vendor reassessment is required – such as when a critical vendor’s security rating falls below a pre-agreed SLA.
Protect your organization from risk
Vendor due diligence pre-engagement and post-signing can take its toll on security, legal, and compliance teams, but with the best practices outlined above -- coupled with automated, continuous monitoring solutions -- your organization can lower the risk of working with third parties and ease the burden on employees.