Cyber Security Due Diligence: 4 Best Practices to Protect your Organization from Risk

Kaitlyn Graham | October 26, 2021 | tag: Cybersecurity

If your organization is entering into a relationship with a vendor or partner, due diligence is key to mitigating third-party risk. Due diligence allows risk management and compliance teams to make informed decisions about who your organization does business with and protect it against potential liabilities, such as exposure to corruption laws or reputational impacts.

Performing cyber security due diligence around third-party relationships has become increasingly important. As your business increases its reliance on third parties, it’s critical that these vendors are vetted thoroughly for cyber risk.

What is due diligence in cyber security?


During the third-party onboarding process, it is a security professional’s job to evaluate a potential vendor’s security policies and practices.

Typically, this screening process might follow a pre-agreed new vendor due diligence” checklist or assessment. However, this form of cyber security due diligence can introduce frustrating delays or procedural roadblocks into the onboarding process. Security risk assessments (which may include risk assessment questionnaires, penetration testing, and even site visits) are time-consuming and hard to scale across the dozens if not hundreds of vendors that your organization works with. According to Gartner, 60% of organizations work with more than 1,000 third parties.

This type of  due diligence in cyber security is often a one-and-done process that can expose your organization to vulnerabilities. That’s because point-in-time assessments fail to account for evolving risk and changes in your vendors’ cybersecurity postures, leaving you open to possible cyberattacks.

How can you adapt your processes to streamline due diligence in cyber security? Let’s look at four best practices.

4 best practices for due diligence in cyber security


1. Tier vendors by criticality

One way to save time during vendor onboarding due diligence is by grouping or tiering your vendors based on how critical they are to your organization. For example, a company that provides an important service or has access to your sensitive data would be a higher priority than a company that does not have immediate access to proprietary information or performs a mission-critical function.

Instead of adopting a one-size-fits-all approach to the evaluation process, tiering helps you determine whether a vendor needs a more in-depth assessment – such as a site visit -- or requires fewer touchpoints. 

Tiering requires consultation with your legal, finance, and compliance teams, but you can fast track the process using BitSight’s tier recommender service. The service uses tiering best practices and provides a suggested tier for each vendor – saving more time and effort on your part.

2. Evaluate third-party cyber security risk using security ratings


Once you’ve tiered your third parties, it’s time to conduct cyber security due diligence into their security postures.

Instead of relying on traditional, resource-intensive vendor evaluations, you can expedite this process using BitSight Security Ratings.

These ratings, which range from 250 to 900, empower you by comparing vendors’ security profiles side-by-side and allow you to prioritize them according to risk – with a higher score suggesting a stronger security posture. Unlike point-in-times snapshot assessment practices, ratings are updated daily to provide unprecedented visibility into a vendor’s security posture.

With this insight, you can go beyond your initial tiering and further prioritize which vendors need the most attention. You may decide, for example, that the assessment process for vendors with high security ratings may not need to be as rigorous, while the process for vendors with lower ratings could be more thorough.

3. Set acceptable cyber security risk thresholds


You also can use BitSight Security Ratings to establish acceptable risk thresholds and develop language to ensure that your entire third-party network meets these thresholds.

For example, you might consult with your legal and finance teams to put extra contractual controls in place based on the rating of a particular vendor. Those with lower ratings may require more stringent controls to ensure that they meet your acceptable risk threshold.

Once you have established this threshold, continue to collaborate with legal to devise policies and enforceable contract language, such as cyber security SLAs, to ensure compliance throughout the life of your contracts.

Work with the team to develop a remediation plan in case a vendor dips below the established threshold, and then engage in ongoing monitoring to ensure that the third parties in your vendor network continue to hold up their ends of the security bargain.

4. Monitor your vendors continuously


Cyber security due diligence doesn’t end once the contract is signed. It’s critical that you stay aware of the security postures of your vendors throughout the remainder of your partnerships.

To keep a finger on the pulse of the changing risk profiles of your vendors use a continuous monitoring solution like BitSight for Third-Party Risk Management.

BitSight allows you to set the appropriate level of monitoring based on a vendor’s closeness to sensitive company data. You can also set alerts for when a vendor’s rating changes and create rules that define when a vendor reassessment is required – such as when a critical vendor’s security rating falls below a pre-agreed SLA.  

Protect your organization from risk


Cyber security due diligence pre-engagement and post-signing can take its toll on security, legal, and compliance teams, but with the best practices outlined above -- coupled with automated, continuous monitoring solutions -- your organization can lower the risk of working with third parties and ease the burden on employees.


New call-to-action

Suggested Posts

Cybersecurity for a Remote Workforce: 3 Strategies for the Year Ahead

Work from home practices introduce significant cyber risk to any organization. Worryingly, BitSight research discovered that remote office networks are 7.5 times more likely to have at least five distinct malware families on them than a...


3 Reasons for Attack Surface Scanning

Taking back control of your network in light of hackers’ growing sophistication can be time-consuming. Even well-established organizations with money to spend on solid cybersecurity programs are still falling victim to some of the new...


How to Define Your Cyber Risk Appetite & Hold Vendors to the Threshold

As cyberattacks surge, you’re charged with protecting your organization’s expanding digital footprint. But what about the risk posed by vendors?

It’s estimated that 60% of organizations now work with more than 1,000 third parties. If...


Get the Weekly Cybersecurity Newsletter.