SecurityScorecard

5 Best Practices for Virtual Cyber Risk Assessments in Times of Crisis

By Miryam Meir

Posted on Jul 6, 2020

The Coronavirus pandemic has changed the way most of the world is doing business. According to an IDG survey released in April, 78% of employees have been working from home more than 60% of the time, compared to just 16% of the time before COVID-19 shutdown. While that’s a good move for employee health and safety, it means that many of the business processes organizations rely on have had to change — that includes cyber risk assessments, which have also gone virtual.

Pandemic or no pandemic, however, assessing the cyber risk posed by your third parties is critical. According to Dark Reading, third party breaches spiked last year, as did the number of records exposed. The report found that 4.8 billion records were exposed in 2019, up from 1.7 billion in 2018. It’s never good news when third parties are involved in a data breach; Ponemon’s 2019 Cost of a Data Breach Report found that if a third party causes a data breach, the cost tends to increase by more than $370,000.

For this reason, it is crucial to make sure your third parties’ cybersecurity is assessed — but over the past few months, your organization may have put your cyber risk assessments on hold. As the pandemic continues, and teams continue to work remotely, how should you plan to proceed?

As with remote work, it’s time to take cyber risk assessments online.

What is a virtual cyber risk assessment?

A third-party security assessment is a due diligence review to gain a level of assurance with the overall security of a third party — such as a vendor or a partner — to protect an organization from third-party breaches.

There are two ways to conduct a third-party security assessment — on-site and virtual. While on-site assessments involve in-person meetings with stakeholders and facility tours, the important thing to remember is that there is no real difference between the content of a virtual and an on-site cyber risk assessment.

The only difference between the two is the location. The content of the assessment will be the same. It’s still a rigorous process run by an assessor. The assessor will still collect questionnaires, evidence, and documentation.

While a site visit might actually move more quickly because the assessor can visit and get the whole six-hour affair done in one day, a virtual cyber risk assessment may be more efficient because scheduled via Zoom, subject matter experts can join only for the sessions that are relevant to them.

Best practices for running a virtual cyber risk assessment

  1. Be as prepared as possible: You’ll need to plan for every step of the process - the kick-off call, the evidence request, and the assessor will also need to do pre-work so that they understand the third party’s organization. Make sure you have an assessment agenda and a document request list prepared and shared ahead of the meeting. These documents will make it easier for the third party to provide evidence and make subject matter experts available for meeting times.
  2. Know your logistics: The logistics of virtual assessment are different from those of an onsite visit. Make sure you’re planning across time zones, and have agreed on your (secure) conferencing tool. Be sure the technology works ahead of time, and be aware that some third parties will request to use their own conferencing tool so they can manage the access controls.
  3. If virtual assessments aren’t your norm, make a note of it: For example, if your on-site assessments normally include a physical security review, the difference in scope should be noted in your report, particularly if physical security could not be validated through a SOC 2.
  4. Remember, we’re in a time of crisis: Many of your call attendees are likely working from home. Their kids may interrupt, and they might need to take breaks. Their internet might be slow. They may not know how to share documentation via Zoom. Be prepared to explain, and be flexible.
  5. Plan to follow up: Sometimes third parties disappear after an assessment. Make notes during the assessment and plan to follow up. Also, include a due date by which they need to respond. Your vendors may be overwhelmed. A date will help them know when they need to get back to you.

How can SecurityScorecard help?

During times of crisis, like the pandemic, onsite assessments might not be possible, or you may need to delay assessments. Our Security Ratings can help you prioritize the assessments your team needs to complete now, and those that can be rescheduled for a less turbulent time.

  • For example, if a third party’s security assessment was positive last year, and there have been no major changes in their relationships, technology, or security incidents, those are good signs. If they also have a positive SecurityScorecard Rating, you may wish to defer their cyber risk assessment for six months to a year.
  • If a vendor’s assessment was mixed, however, and they’ve had some impactful changes, and a mixed SecurityScorecard Rating, you may instead decide to request a limited assessment to discuss risk changes.
  • Lastly, if the vendor’s previous assessment was mixed, they’ve experienced changes and they have a negative SecurityScorecard rating, that’s a sign that it’s time for a full virtual cyber risk assessment.

SecurityScorecard can also help streamline the evaluation process with Atlas, an intelligent tool that speeds up the questionnaire exchange and validation process by allowing you to create questionnaires with conditional questions, send questionnaires to multiple vendors at once, and collaborate with your third parties within Atlas, rather than sending questionnaires and evidence back and forth through email.

Atlas automatically aligns your vendors’ questionnaire responses with SecurityScorecard Ratings data, providing an instant 360° view of cyber security risk and enabling you to trust but verify your business partners.

Related Posts

Top 3 Third Party Risk Management Challenges – and How To Conquer Them

Posted May 11, 2018

Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.

 Third Party Risk Management Issues

IT Cybersecurity Risk Assessment: A Step-by-Step Guide

Posted May 09, 2018

Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.

 IT Cybersecurity Risk Assessment

The Value of a Vendor Risk Assessment Template

Posted June 01, 2018

Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.

 Vendor Risk Assessment Template

Critical Metrics for Measuring Detection and Response

Posted March 27, 2019

Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.

11 Cybersecurity Metrics & KPIs to Track

Posted July 08, 2019

You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.

 Cybersecurity Benchmarking And KPIs

Information Security Metrics for Executives and Board Members

Posted October 14, 2019

Metrics are important, no matter how far up the corporate ladder you are. Check out these infosec metrics for executives and board members.

 Information Security Metrics For Executives

Read More Blogs

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!