Posted on Jan 6, 2020
Managing your Third Party Cyber Risk Management (TPCRM) can be a tedious, time-consuming task, yet it is a critical one. Third parties pose a significant source of risk for most businesses. According Ponemon’s 2018 Data Risk in the Third-Party Ecosystem report, 59% of respondents had reported a third-party related data breach. Yet only 4 in 10 organizations have a mature vendor risk management process in place, according to Protoviti’s 2019 Vendor Risk Management Benchmark Study.
To make matters worse, when a vendor is involved, the cost of a data breach rises. According to Ponemon’s 2019 Cost of a Data Breach Report, if a third party caused the data breach, the cost increased by more than $370,000. Because of these risks, it’s critical that your third-party cyber risk management program is comprehensive, proactive and agile.
When it comes to reducing third party risk, due diligence can be a labor intensive process. Large organizations can have hundreds or even thousands of third parties, ranging from cloud vendors that serve an entire company to contractors that work for just one department. It’s a lot to keep track of — especially since many companies are still using spreadsheets and other manual tools to track TPCRM. Estimates vary, but research from EY suggests that 40% of organizations are using spreadsheets to track issues with third parties’ risk. This is a manual process that takes a lot of time, and — as with any other manual data-entry project — can be prone to human error.
Automated tools can reduce the paperwork and strain on staff by offering away to easily monitor third parties without having to manually create questionnaires, or update spreadsheets.
Automated tools can also solve another questionnaire-related problem. Often, when presented with a questionnaire, third parties may choose to answer a question in different ways.
Some may take a narrative approach to answering questions, some may answer yes/no, some may attach a screenshot. Those different kinds of data are going to be difficult to store or understand because in many cases you won’t be comparing apples to apples. Nor can a tool automatically process all those different kinds of data — instead, someone will have to manually review it.
An intelligence security tool can collect the data itself, only collecting the sort of structured data you need to automatically assess risk. It will also save people on both sides of the client/vendor relationship time and effort on questionnaires and surveys.
Not all vendors were created equal, or at least they don’t all pose the same risk to your assets. Vendors that handle critical business processes will be a much bigger threat to your data than a contractor who works with one department. You’ll want to be able to see, at a glance, which third parties represent the biggest risks to your organization. Risk ratings are a tool that can help you do this.
Your first step is a risk analysis for each of your vendors. Use the following formula to understand each third parties’ risk:
Risk = Likelihood of a Data Breach X Impact of a Data Breach/Cost
Then, based on the results, assign a risk rating of high, medium, or low. Often The vendors who handle the most business-critical operations or the most sensitive data will likely be rated medium or high. Be aware that this method sometimes won’t give you all the information you need, because sometimes you can’t know the vendors’ likelihood of experiencing a breach. They may not be aware, either — some of their assets may be insecure, or they may have been breached and not yet know. That’s why the next step is so important.
Questionnaires and surveys represent one moment in time. These tools are static, and provide snapshots of a vendor’s security posture, but rarely the whole picture. In many cases, there’s no way to verify the accuracy of questionnaires, and you may simply have to accept a third party’s word that they are compliant.
By using tools that allow you to continuously monitor the security posture of your vendors, you can avoid all of these issues, receiving a notification whenever vendor falls out of compliance, and scanning for problems the vendor might not know about, like an Amazon Web Services bucket that has been mistakenly configured, chatter on the dark web about breached assets, or other assets that have been left unsecured.
When you work with third parties their risk is your risk, and unfortunately, cyber criminals are increasingly targeting vendors in an effort to get at their clients’ data and assets. To reduce the amount of administrative time and effort spent managing third party relationships, consider a tool that automates parts of the process. SecurityScorecard’s Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload vendor responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately. Our easy-to-read security ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your vendor risk management program.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.