Vendor Risk Management

Why You Should Assess Your Vendor's Security Performance Frequently

Noah Simon | May 7, 2015

Third party breaches still account for a large percentage of security incidents. In fact, according to this year's Verizon DBIR report, in 70% of attacks where there was a known motive, a secondary victim was involved. These victims could be vendors, business partners, or vital pieces in supply chains. While the common phrase that “you are only as strong as your weakest link” has been used ad nauseum, it certainly rings true. The following are just some of the reasons why continuously monitoring the security of third parties is crucial:

Security posture can change at any time

New vulnerabilities emerge each day. Even though it is time-consuming for companies to address these internally, the same must be done for partners and third parties. While popular vulnerabilities such as Heartbleed and Poodle are highly publicized, third parties may have other, less high-profile points of weakness. For example, SPF records may not exist, or they may have too many hosts. In addition, DKIM records may have low levels of encryption - or worse, they may be expired.

In addition, security leadership changes as CISOs and senior IT professionals leave organizations. Monitoring security is vital to maintaining trust even when business relationships change.

Reporting to the Board

Frequent assessments of vendor security performance will allow for confident reporting to the board. An audit, penetration test, or vulnerability scan performed 6 months before a board meeting does not offer an accurate, up-to-date picture of vendor security performance. In addition, it may not be efficient to execute these tests before board meetings. These solutions, combined with continuous monitoring will provide a comprehensive view of vendor security so that you can confidently report to your board about your vendor’s security at any time.

Most IT professionals want to monitor frequently

In a study by BitSight and Forrester, 59% of IT professionals surveyed indicated a desire to monitor third parties, yet only 22% were doing so on at least a monthly basis. Despite such a high number, organizations across all industries struggle to continuously monitor vendors. In a recent survey of 40 banks in New York, roughly one third require vendors to notify them of any breaches to their own networks.

The desire to monitor vendor security performance is rising. However, third party breaches continue to take place on an alarming basis as organizations struggle to implement continuous monitoring solutions. Simply having a program to monitor third party security performance is not enough. Organizations that monitor third parties with greater frequency will increase their ability to mitigate third party risk.

Suggested Posts

Can Your Vendor Assessments Be More Efficient?

If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...

READ MORE »

Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...

READ MORE »

3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...

READ MORE »

Subscribe to get security news and updates in your inbox.