During the third-party onboarding process, it is a security professional’s job to evaluate a potential vendor’s security policies and practices.
Typically, this screening process might follow a pre-agreed “new vendor due diligence” checklist or assessment. However, this form of cyber security due diligence can introduce frustrating delays or procedural roadblocks into the onboarding process. Security risk assessments (which may include risk assessment questionnaires, penetration testing, and even site visits) are time-consuming and hard to scale across the dozens if not hundreds of vendors that your organization works with. According to Gartner, 60% of organizations work with more than 1,000 third parties.
This type of due diligence in cyber security is often a one-and-done process that can expose your organization to vulnerabilities. That’s because point-in-time assessments fail to account for evolving risk and changes in your vendors’ cybersecurity postures, leaving you open to possible cyberattacks.
How can you adapt your processes to streamline due diligence in cyber security? Let’s look at four best practices.
One way to save time during vendor onboarding due diligence is by grouping or tiering your vendors based on how critical they are to your organization. For example, a company that provides an important service or has access to your sensitive data would be a higher priority than a company that does not have immediate access to proprietary information or performs a mission-critical function.
Instead of adopting a one-size-fits-all approach to the evaluation process, tiering helps you determine whether a vendor needs a more in-depth assessment – such as a site visit -- or requires fewer touchpoints.
Tiering requires consultation with your legal, finance, and compliance teams, but you can fast track the process using BitSight’s tier recommender service. The service uses tiering best practices and provides a suggested tier for each vendor – saving more time and effort on your part.
Once you’ve tiered your third parties, it’s time to conduct cyber security due diligence into their security postures.
Instead of relying on traditional, resource-intensive vendor evaluations, you can expedite this process using BitSight Security Ratings.
These ratings, which range from 250 to 900, empower you by comparing vendors’ security profiles side-by-side and allow you to prioritize them according to risk – with a higher score suggesting a stronger security posture. Unlike point-in-times snapshot assessment practices, ratings are updated daily to provide unprecedented visibility into a vendor’s security posture.
With this insight, you can go beyond your initial tiering and further prioritize which vendors need the most attention. You may decide, for example, that the assessment process for vendors with high security ratings may not need to be as rigorous, while the process for vendors with lower ratings could be more thorough.
You also can use BitSight Security Ratings to establish acceptable risk thresholds and develop language to ensure that your entire third-party network meets these thresholds.
For example, you might consult with your legal and finance teams to put extra contractual controls in place based on the rating of a particular vendor. Those with lower ratings may require more stringent controls to ensure that they meet your acceptable risk threshold.
Once you have established this threshold, continue to collaborate with legal to devise policies and enforceable contract language, such as cyber security SLAs, to ensure compliance throughout the life of your contracts.
Work with the team to develop a remediation plan in case a vendor dips below the established threshold, and then engage in ongoing monitoring to ensure that the third parties in your vendor network continue to hold up their ends of the security bargain.
Cyber security due diligence doesn’t end once the contract is signed. It’s critical that you stay aware of the security postures of your vendors throughout the remainder of your partnerships.
BitSight allows you to set the appropriate level of monitoring based on a vendor’s closeness to sensitive company data. You can also set alerts for when a vendor’s rating changes and create rules that define when a vendor reassessment is required – such as when a critical vendor’s security rating falls below a pre-agreed SLA.
Cyber security due diligence pre-engagement and post-signing can take its toll on security, legal, and compliance teams, but with the best practices outlined above -- coupled with automated, continuous monitoring solutions -- your organization can lower the risk of working with third parties and ease the burden on employees.
Work from home practices introduce significant cyber risk to any organization. Worryingly, BitSight research discovered that remote office networks are 7.5 times more likely to have at least five distinct malware families on them than a...
As cyberattacks surge, you’re charged with protecting your organization’s expanding digital footprint. But what about the risk posed by vendors?
It’s estimated that 60% of organizations now work with more than 1,000 third parties. If...