Posted on Jul 10, 2018
While organizations focus on their own cybersecurity, many lack the insights they need into the cyberhealth of their third-party vendors leaving them vulnerable to attackers exploiting their ecosystems. According to Benjamin Lawsky, the superintendent of the New York State Department of Financial Services, “a company’s cyber security is only as strong as the cyber security of its third-party vendors.” Yet scrutinizing third-parties is only half of the story. To understand the tangible risks they pose, you need reliable measurements that give you confidence over your vendor management program.
The High Cost of Vendor Vulnerabilities
A supply chain attack (also known as a third-party or value-chain attack) can have devastating effects and occur in three ways. First, a malicious attacker can access the protected customer data you share with a vendor that resides on the vendor’s systems. For example, you might use a payment processing system with outdated encryption that hackers can use to access your customer data. Second, vendor hardware or software that you use can have a vulnerability. Hackers who know about this vulnerability then use it to access your systems. Third, you can hire provide a vendor access to your systems, such as a third-party contractor. If the contractor uses insecure passwords, then a hacker can successfully engage in a brute force attack.
Despite the real threat of third-party vendors, the Bomgar Vendor Vulnerability Survey uncovered the following:
Understanding what vendors access your systems is the first step to understanding your vendor risk. Controlling vendor access to your data environment means reviewing vendor lists, engaging in role-based authorizations on a “need-to-know” basis, and reviewing access logs. However, not all third-party vendors are something you can control.
Third-party vendors put your data at risk when you share information with them.. According to CSO Online, organizations spent $10 million on average responding to third-party breaches; however, according to Deloitte, only 5.7% of executives have high confidence in their third-party risk management tools and technology. If your vendors store information on their systems, those environments become your risk. Therefore, you need insight into their network and system security. For example, if you use a cloud service provider whose firewalls are not updated, hacker can obtain customer data.
The lack of insights into the cyberhealth of third-party vendors is a serious risk. According to Soha Systems, 63% of all cyberattacks could be traced directly or indirectly to third-parties. Despite the rise in security threats linked to supplier and contractor access, only 2% of enterprise IT and security professionals consider third-party access their top priority.
Mitigating Potential Damages with Vendor Risk Management
The real challenge is what to do about the risk of third-party vendors. Even organizations that incorporate vendor management policies and procedures find reporting on vendor security difficult. While many organizations conduct internal and external audits, they are limited to a single point-in-time vendor assessment, which is ineffective, time-consuming, and costly. Hackers continuously innovate new attacks so you need to continuously review your ecosystem for threats.
With our platform, you’ll have the right tools and intelligence to make actionable choices to make better risk management decisions to allow your internal security teams and vendors to quickly identify and resolve security issues.SecurityScorecard gives you an innovative platform built on machine learning to provide your organization with continuous monitoring tools to mitigate the security risk of third-party vendors.
Presently, companies know that being breached is no longer and “if” but a “when.” To appropriately manage third-party risks, you need to be able to measure the threats, not simply make an educated guess. Fortunately, KPIs (key performance indicators), can help mitigate the risks when implemented properly. Not only do audits and vendor reviews focus on a single moment in time, they fall short of protecting your data ecosystem because they cannot account for remediation and mitigation steps. You can determine that a vendor is a low risk of being breached, but when a hacker does attack, you need values proving that they are fixing the problem.
With SecurityScorecard’s Vendor Risk Management tools, you’ll improve the cyberhealth of your entire vendor ecosystem by continuously identifying, monitoring, and managing risk. For example, you hire a vendor based on their original security rating of A, indicating excellent cyber health. The vendor suffers a breach, which may lower their security rating to C arising from vulnerability exploited. You can track the vendor’s response to the breach by watching its security rating. Since SecurityScorecard constantly updates its ratings by continuous scanning for vulnerabilities, you can monitor the vendor for any increases in the rating. If the rating remains the same, the vendor has not fixed their problem. If the rating increases, you have a metric proving their resilience and continued dedication to protecting your information.
KPIs to Improve Vendor Risk Management:
While mitigating the cybersecurity risks third-party vendors pose to your organization can be daunting, the need to implement vendor risk management to protect all you’ve built from outside threats is a growing necessity. With the right tools and resources, you can create meaningful collaboration between your organization and your vendors. SecurityScorecard’s platform gives you integrated workflows to resolve third-party vendor security and compliance issues before they become problems.
With our predictive research, your security professionals will have the insights and technology they need to keep your organization safe from the complex threats third-party vendors pose to your organization. Attackers are constantly looking for ways to exploit third-party weaknesses. Get the actionable insights you need to protect your organization’s reputation and profitability.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.
Download the complete guide to building your vendor risk management program and learn how to identify your organization's most critical third-party risk factors.