Why You Should Assess Your Vendor's Security Performance Frequently

Noah Simon | May 7, 2015 | tag: Vendor Risk Management

Third party breaches still account for a large percentage of security incidents. In fact, according to this year's Verizon DBIR report, in 70% of attacks where there was a known motive, a secondary victim was involved. These victims could be vendors, business partners, or vital pieces in supply chains. While the common phrase that “you are only as strong as your weakest link” has been used ad nauseum, it certainly rings true. The following are just some of the reasons why continuously monitoring the security of third parties is crucial:

Security posture can change at any time

New vulnerabilities emerge each day. Even though it is time-consuming for companies to address these internally, the same must be done for partners and third parties. While popular vulnerabilities such as Heartbleed and Poodle are highly publicized, third parties may have other, less high-profile points of weakness. For example, SPF records may not exist, or they may have too many hosts. In addition, DKIM records may have low levels of encryption - or worse, they may be expired.

In addition, security leadership changes as CISOs and senior IT professionals leave organizations. Monitoring security is vital to maintaining trust even when business relationships change.

Reporting to the Board

Frequent assessments of vendor security performance will allow for confident reporting to the board. An audit, penetration test, or vulnerability scan performed 6 months before a board meeting does not offer an accurate, up-to-date picture of vendor security performance. In addition, it may not be efficient to execute these tests before board meetings. These solutions, combined with continuous monitoring will provide a comprehensive view of vendor security so that you can confidently report to your board about your vendor’s security at any time.

Most IT professionals want to monitor frequently

In a study by BitSight and Forrester, 59% of IT professionals surveyed indicated a desire to monitor third parties, yet only 22% were doing so on at least a monthly basis. Despite such a high number, organizations across all industries struggle to continuously monitor vendors. In a recent survey of 40 banks in New York, roughly one third require vendors to notify them of any breaches to their own networks.

The desire to monitor vendor security performance is rising. However, third party breaches continue to take place on an alarming basis as organizations struggle to implement continuous monitoring solutions. Simply having a program to monitor third party security performance is not enough. Organizations that monitor third parties with greater frequency will increase their ability to mitigate third party risk.

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.