Posted on Oct 26, 2020
Vendors are a critical piece of most organizations’ businesses. Vendors — particularly cloud-based services – help companies deliver services, streamline their business processes, and scale their operations quickly and efficiently.
With reliance on vendors, however, comes risk. Data breaches caused by third parties are more difficult to control, predict, or prevent than those that occur in-house and they’re also more expensive. Ponemon’s latest Cost of a Data Breach report once again found third parties to be a cost amplifier when it comes to data breaches. If a third party is involved in a data breach, that breach will cost an average of $207,411 more than $3.86 million, the average cost of a data breach.
That sort of risk has meant that organizations look to vendor risk management (VRM) as a vital risk mitigation strategy. Managing vendor risk, however, can be overwhelming — often organizations work with many vendors and other third parties and verifying every vendor’s controls can be a difficult task.
To make vendor risk management programs easier to manage, companies need a clear and comprehensive vendor management policy. This policy should identify your riskiest vendors, define controls to minimize that risk, and act as a strong foundation for your vendor risk management strategy.
It’s important to remember that your vendors are an extension of your enterprise. That's why they’re a risk; some vendors have access to data and networks you don’t want to be exposed to. As you create your vendor risk management policy, know that you'll be following some of the same processes you followed when you wrote your own cybersecurity policies.
You may have some idea of who your vendors are, but it is important to know exactly who all your vendors are if you’re going to be monitoring them. This will mean going to each department and asking for a list of their vendors, because some departments may own relationships the rest of the organization isn’t aware of. Make sure you obtain as complete a list as possible.
When it comes to risk management, not all vendors are created equal. When you’re compiling your list of vendors, you’ll want to do more than find out who they are. You’ll also need to know what data, networks, software, and devices each vendor is able to access. Vendors who don’t have access to sensitive data or systems are low-risk; if they’re attacked, you’re unlikely to suffer a breach. Your cloud provider, however, is at high risk. If they experience a data incident, your data is at risk.
Once you’ve identified the risks, you can set controls and metrics for the vendors that pose the greatest risk to your data. You can do this by defining the sorts of controls that you’ll require your vendors to use, and incorporating these controls into your policy and into contracts with any new vendors. You’ll also want to choose metrics that will help you measure your vendors’ compliance with these controls, such as time to install a security patch or time to detect a breach.
You’ve set controls and metrics for your vendors but how can you actually tell how long it’s taken for them to install a patch or detect a breach? Continuous monitoring using a platform that monitors risk — such as security ratings — allow you to monitor the cyberhealth of your vendors in real-time, without having to rely on the snapshots provided by static forms of monitoring, like questionnaires.
When we’re talking about cybersecurity and breaches, the phrases “third party” and “vendor” are used interchangeably. There are, however, differences between the two. Vendors, for example, sell goods and services. They can be an individual (a freelancer, for example) or an organization (a business.) Third parties are not individuals. They’re business entities that provide mission-critical goods and services to an organization or its customers. Those differences matter because the controls you’d impose on an individual contractor are different than the ones you’d impose on a major channel partner, and the risks themselves are different.
Managing third party relationships, particularly monitoring them, can be an onerous administrative task. A tool that automates parts of the process can free up your team for higher-level tasks and make your organization safer.
Our intelligent tool, Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload your vendors’ responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately, so you don’t have to devote personnel’s time to sending and chasing down questionnaires.
SecurityScorecard’s easy-to-read Security Ratings, based on an A-F scale, enable you to align your security priorities with the metrics you’ve set up for your vendors. If they fall out of compliance, you’ll know as soon as it happens.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.