Vendor Risk Management

Why You Should Assess Your Vendor's Security Performance Frequently

Noah Simon | May 7, 2015

Third party breaches still account for a large percentage of security incidents. In fact, according to this year's Verizon DBIR report, in 70% of attacks where there was a known motive, a secondary victim was involved. These victims could be vendors, business partners, or vital pieces in supply chains. While the common phrase that “you are only as strong as your weakest link” has been used ad nauseum, it certainly rings true. The following are just some of the reasons why continuously monitoring the security of third parties is crucial:

Security posture can change at any time

New vulnerabilities emerge each day. Even though it is time-consuming for companies to address these internally, the same must be done for partners and third parties. While popular vulnerabilities such as Heartbleed and Poodle are highly publicized, third parties may have other, less high-profile points of weakness. For example, SPF records may not exist, or they may have too many hosts. In addition, DKIM records may have low levels of encryption - or worse, they may be expired.

In addition, security leadership changes as CISOs and senior IT professionals leave organizations. Monitoring security is vital to maintaining trust even when business relationships change.

Reporting to the Board

Frequent assessments of vendor security performance will allow for confident reporting to the board. An audit, penetration test, or vulnerability scan performed 6 months before a board meeting does not offer an accurate, up-to-date picture of vendor security performance. In addition, it may not be efficient to execute these tests before board meetings. These solutions, combined with continuous monitoring will provide a comprehensive view of vendor security so that you can confidently report to your board about your vendor’s security at any time.

Most IT professionals want to monitor frequently

In a study by BitSight and Forrester, 59% of IT professionals surveyed indicated a desire to monitor third parties, yet only 22% were doing so on at least a monthly basis. Despite such a high number, organizations across all industries struggle to continuously monitor vendors. In a recent survey of 40 banks in New York, roughly one third require vendors to notify them of any breaches to their own networks.

The desire to monitor vendor security performance is rising. However, third party breaches continue to take place on an alarming basis as organizations struggle to implement continuous monitoring solutions. Simply having a program to monitor third party security performance is not enough. Organizations that monitor third parties with greater frequency will increase their ability to mitigate third party risk.

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...

READ MORE »

FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...

READ MORE »

Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...

READ MORE »

Subscribe to get security news and updates in your inbox.