KPI for Vendor Risk Management

Posted on Jul 10, 2018

While organizations focus on their own cybersecurity, many lack the insights they need into the cyberhealth of their third-party vendors leaving them vulnerable to attackers exploiting their ecosystems. According to Benjamin Lawsky, the superintendent of the New York State Department of Financial Services, “a company’s cyber security is only as strong as the cyber security of its third-party vendors.” Yet scrutinizing third-parties is only half of the story. To understand the tangible risks they pose, you need reliable measurements that give you confidence over your vendor management program.

The High Cost of Vendor Vulnerabilities

A supply chain attack (also known as a third-party or value-chain attack) can have devastating effects and occur in three ways. First, a malicious attacker can access the protected customer data you share with a vendor that resides on the vendor’s systems. For example, you might use a payment processing system with outdated encryption that hackers can use to access your customer data. Second, vendor hardware or software that you use can have a vulnerability. Hackers who know about this vulnerability then use it to access your systems. Third, you can hire provide a vendor access to your systems, such as a third-party contractor. If the contractor uses insecure passwords, then a hacker can successfully engage in a brute force attack.

Despite the real threat of third-party vendors, the Bomgar Vendor Vulnerability Survey uncovered the following:

  • Only 35% of respondents are very confident in knowing the actual number of vendors accessing their systems, and just 34% know the number of individual log-ins that can be attributed to vendors.
  • 69% say they definitely or possibly suffered a security breach resulting from vendor access within the last year.
  • Only 52% effectively monitor third-party vendor risks.
  • 31% of organizations increased the number of third-party vendors by more than 20% and 44% of organizations increased third-party vendors up to 20%.
  • According to respondents, on average 89 vendors access an organization’s network every single week. While 45% of third-party vendors had access to internal networks.

Understanding what vendors access your systems is the first step to understanding your vendor risk. Controlling vendor access to your data environment means reviewing vendor lists, engaging in role-based authorizations on a “need-to-know” basis, and reviewing access logs. However, not all third-party vendors are something you can control.

Third-party vendors put your data at risk when you share information with them.. According to CSO Online, organizations spent $10 million on average responding to third-party breaches; however, according to Deloitte, only 5.7% of executives have high confidence in their third-party risk management tools and technology. If your vendors store information on their systems, those environments become your risk. Therefore, you need insight into their network and system security. For example, if you use a cloud service provider whose firewalls are not updated, hacker can obtain customer data.

The lack of insights into the cyberhealth of third-party vendors is a serious risk. According to Soha Systems, 63% of all cyberattacks could be traced directly or indirectly to third-parties. Despite the rise in security threats linked to supplier and contractor access, only 2% of enterprise IT and security professionals consider third-party access their top priority.

Mitigating Potential Damages with Vendor Risk Management

The real challenge is what to do about the risk of third-party vendors. Even organizations that incorporate vendor management policies and procedures find reporting on vendor security difficult. While many organizations conduct internal and external audits, they are limited to a single point-in-time vendor assessment, which is ineffective, time-consuming, and costly. Hackers continuously innovate new attacks so you need to continuously review your ecosystem for threats.

With our platform, you’ll have the right tools and intelligence to make actionable choices to make better risk management decisions to allow your internal security teams and vendors to quickly identify and resolve security issues.SecurityScorecard gives you an innovative platform built on machine learning to provide your organization with continuous monitoring tools to mitigate the security risk of third-party vendors.

Measuring Security Risk and Remediation

Presently, companies know that being breached is no longer and “if” but a “when.” To appropriately manage third-party risks, you need to be able to measure the threats, not simply make an educated guess. Fortunately, KPIs (key performance indicators), can help mitigate the risks when implemented properly. Not only do audits and vendor reviews focus on a single moment in time, they fall short of protecting your data ecosystem because they cannot account for remediation and mitigation steps. You can determine that a vendor is a low risk of being breached, but when a hacker does attack, you need values proving that they are fixing the problem.

With SecurityScorecard’s Vendor Risk Management tools, you’ll improve the cyberhealth of your entire vendor ecosystem by continuously identifying, monitoring, and managing risk. For example, you hire a vendor based on their original security rating of A, indicating excellent cyber health. The vendor suffers a breach, which may lower their security rating to C arising from vulnerability exploited. You can track the vendor’s response to the breach by watching its security rating. Since SecurityScorecard constantly updates its ratings by continuous scanning for vulnerabilities, you can monitor the vendor for any increases in the rating. If the rating remains the same, the vendor has not fixed their problem. If the rating increases, you have a metric proving their resilience and continued dedication to protecting your information.

KPIs to Improve Vendor Risk Management:

  • Define a required security rating for your critical third-party vendors, meaning those with a significant amount of access to your data or network.
  • Re-evaluate your third-party vendor contracts and implement cybersecurity best practices, such as a report listing security controls and maintaining a security rating that proves the effectiveness of the controls. .
  • Implement “patching cadence” requirement to  ensure vendors update software and hardware against IT security vulnerabilities, and monitor their “patching cadence” security ratings score for that vector.
  • Determine how quickly your vendors respond to their own security incidents by reviewing changes in their security ratings to document their remediation activities.

While mitigating the cybersecurity risks third-party vendors pose to your organization can be daunting, the need to implement vendor risk management to protect all you’ve built from outside threats is a growing necessity. With the right tools and resources, you can create meaningful collaboration between your organization and your vendors. SecurityScorecard’s platform gives you integrated workflows to resolve third-party vendor security and compliance issues before they become problems.

With our predictive research, your security professionals will have the insights and technology they need to keep your organization safe from the complex threats third-party vendors pose to your organization. Attackers are constantly looking for ways to exploit third-party weaknesses. Get the actionable insights you need to protect your organization’s reputation and profitability.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!