Posted on Jul 6, 2020
The Coronavirus pandemic has changed the way most of the world is doing business. According to an IDG survey released in April, 78% of employees have been working from home more than 60% of the time, compared to just 16% of the time before COVID-19 shutdown. While that’s a good move for employee health and safety, it means that many of the business processes organizations rely on have had to change — that includes cyber risk assessments, which have also gone virtual.
Pandemic or no pandemic, however, assessing the cyber risk posed by your third parties is critical. According to Dark Reading, third party breaches spiked last year, as did the number of records exposed. The report found that 4.8 billion records were exposed in 2019, up from 1.7 billion in 2018. It’s never good news when third parties are involved in a data breach; Ponemon’s 2019 Cost of a Data Breach Report found that if a third party causes a data breach, the cost tends to increase by more than $370,000.
For this reason, it is crucial to make sure your third parties’ cybersecurity is assessed — but over the past few months, your organization may have put your cyber risk assessments on hold. As the pandemic continues, and teams continue to work remotely, how should you plan to proceed?
As with remote work, it’s time to take cyber risk assessments online.
A third-party security assessment is a due diligence review to gain a level of assurance with the overall security of a third party — such as a vendor or a partner — to protect an organization from third-party breaches.
There are two ways to conduct a third-party security assessment — on-site and virtual. While on-site assessments involve in-person meetings with stakeholders and facility tours, the important thing to remember is that there is no real difference between the content of a virtual and an on-site cyber risk assessment.
The only difference between the two is the location. The content of the assessment will be the same. It’s still a rigorous process run by an assessor. The assessor will still collect questionnaires, evidence, and documentation.
While a site visit might actually move more quickly because the assessor can visit and get the whole six-hour affair done in one day, a virtual cyber risk assessment may be more efficient because scheduled via Zoom, subject matter experts can join only for the sessions that are relevant to them.
During times of crisis, like the pandemic, onsite assessments might not be possible, or you may need to delay assessments. Our Security Ratings can help you prioritize the assessments your team needs to complete now, and those that can be rescheduled for a less turbulent time.
SecurityScorecard can also help streamline the evaluation process with Atlas, an intelligent tool that speeds up the questionnaire exchange and validation process by allowing you to create questionnaires with conditional questions, send questionnaires to multiple vendors at once, and collaborate with your third parties within Atlas, rather than sending questionnaires and evidence back and forth through email.
Atlas automatically aligns your vendors’ questionnaire responses with SecurityScorecard Ratings data, providing an instant 360° view of cyber security risk and enabling you to trust but verify your business partners.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.