Posted on Feb 15, 2019
Sometimes your biggest security challenge is the vendors who are unknown to the risk management team.
Traditionally, in order to determine vendors an enterprise is engaged with, it required working with procurement and surveying various departments and individuals. It’s a time-consuming process that is prone to errors, oversights, and doesn’t account for the many “shadow” vendor relationships that may exist. Even when the vendor is known, in order to determine their level of security you had to use questionnaires or ask them to install intrusive software on each one of their computers. These methods don’t provide accurate visibility into the vulnerabilities across your entire business ecosystem, are expensive, and labor intensive.
Should they fill out your questionnaire or submit to your vulnerability scans, you still won’t know if they change their software or hardware a week later. In other instances, IT functionality may move processes and data to the cloud or other third-party vendors which presents new security challenges.
Once you understand your existing vendors, you need to think about vendors of vendors (4th party) and how it only takes one of these to have a security vulnerability that can hurt your business. It can be very difficult to know this in a large enterprise.
A great example is the December 2013 Target data breach where hackers were able to get credit card data for over 40 million customers. After doing some research into the intrusion, it was determined that hackers came in through one of Target’s vendors, an HVAC supplier who had more access to Target’s systems than they realized.
In other examples, “Boston Medical Center said it fired a transcription service after a health care provider reported the records of about 15,000 patients at the hospital were posted without password protection on the vendor’s website used by physicians,” said Robert Weisman at bostonglobe.com.
Goodwill was also a victim with 886,000 compromised accounts after an 18 month breach caused by a vendor.
According to Michela Menting at eSecurity Planet, "It has traditionally been much easier to go through third-party vendors, especially where there are smaller firms and contractors, than trying to attack a behemoth itself. If you consider the services industry – insurers, law firms, consultancies – these have been vectors for infiltration into much larger client companies."
Automatic Vendor Detection (AVD™) is a module for the SecurityScorecard platform that enables reconnaissance on a company's third and fourth party cybersecurity attack vectors. Using AVD, you can automatically find and identify security vulnerabilities throughout your entire business ecosystem.
(Connected graph represents vendor relationships within an organization's business ecosystem. Red and yellow dots indicate vendors at high risk for a data breach)
This is done using non-obtrusive methods that make it quick and easy to determine if any of your vendors are a security risk. Network access, penetration tests, and security forensics are invasive and are not required with the SecurityScorecard solution. Each vendor has an expanded view listing potential vulnerabilities that are noted. For each issue SSC offers a checklist of items you or the vendor can do to resolve the issues.
Discovering the third, fourth, fifth (and beyond) party vendors you didn’t know about is simple and intuitive with SecurityScorecard.
Simply enter your company into the search bar. AVD will automatically build a list of third party vendors for your selection. You can click the “Add” button for each company to add them to your vendor portfolio.
But, what about the vendors of your vendors (or vendors of your vendors vendors)?
In this example, let’s say box.com is one of your vendors and you’ve added them to your vendor list. On the line with Box.com’s score, you now have a link to “Open” their vendors.
Once clicked, a list of Box.com’s vendors (your 4th party vendors) will pop up with a scorecard for each one. This process can be repeated an unlimited number of times to understand vendors’ relationships between themselves.
“A company’s exposure to cyber risk extends to the network vendors they work with,” said Brad Gow, Senior Vice President at Endurance. “SecurityScorecard’s Automatic Vendor Detection augments their traditional offering by identifying critical third and fourth party network dependencies, giving us additional clarity into the quality of their IT management as well as identifying potential hotspots over our entire cyber portfolio.”
Using SecurityScorecard, you can quickly browse past the traditional limiting third and fourth party vendors by clicking on their connections. This allows you to understand the risk of your entire partner ecosystem. SecurityScorecard is the only solution that saves you time on vendor research, and augments the traditional questionnaire and penetration test process. One group in line to benefit from this technology are the cyber underwriters. Insurance companies are constantly concerned with their third party exposure. Hence, their current policies require an ongoing assessment of each company they insure and their vendors. Moreover, there is a lot of pressure on underwriters to extend their policies and offerings to cover third party breaches.
Don't wait until a breach occurs to find out that your third or fourth party vendors are not secure. AVD helps protect companies from becoming secondary targets of a cyber attack. SecurityScorecard with Automatic Vendor Detection saves time, money, and provides instant visibility into the weaknesses and vulnerabilities throughout the entire business ecosystem.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.