Third party breaches still account for a large percentage of security incidents. In fact, according to this year's Verizon DBIR report, in 70% of attacks where there was a known motive, a secondary victim was involved. These victims could be vendors, business partners, or vital pieces in supply chains. While the common phrase that “you are only as strong as your weakest link” has been used ad nauseum, it certainly rings true. The following are just some of the reasons why continuously monitoring the security of third parties is crucial:
Security posture can change at any time
New vulnerabilities emerge each day. Even though it is time-consuming for companies to address these internally, the same must be done for partners and third parties. While popular vulnerabilities such as Heartbleed and Poodle are highly publicized, third parties may have other, less high-profile points of weakness. For example, SPF records may not exist, or they may have too many hosts. In addition, DKIM records may have low levels of encryption - or worse, they may be expired.
In addition, security leadership changes as CISOs and senior IT professionals leave organizations. Monitoring security is vital to maintaining trust even when business relationships change.
Reporting to the Board
Frequent assessments of vendor security performance will allow for confident reporting to the board. An audit, penetration test, or vulnerability scan performed 6 months before a board meeting does not offer an accurate, up-to-date picture of vendor security performance. In addition, it may not be efficient to execute these tests before board meetings. These solutions, combined with continuous monitoring will provide a comprehensive view of vendor security so that you can confidently report to your board about your vendor’s security at any time.
The desire to monitor vendor security performance is rising. However, third party breaches continue to take place on an alarming basis as organizations struggle to implement continuous monitoring solutions. Simply having a program to monitor third party security performance is not enough. Organizations that monitor third parties with greater frequency will increase their ability to mitigate third party risk.
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...