Posted on Jul 16, 2020
Your vendors are likely a big part of your business. In fact, vendors are a core part of most organizations — they act as partners, provide cloud services, store sensitive data, and provide other mission-critical services. Unfortunately, vendors also can also provide a backdoor for cyber criminals who want to get their hands on your data, and their malware into your infrastructure.
Vendor security can be a frustrating subset of cybersecurity; you don’t have the same degree of control over your vendors as you do your own employees. You can’t require the employees or contractors of another company to adhere to your security standards. Yet if your customers’ data is exposed because of a third party, that breach is still your responsibility, and it’s likely to cost you more than if your own employees had caused the breach According to Ponemon’s 2019 Cost of a Data Breach Report, if a third party causes a data breach, the cost spikes by more than $370,000.
For this reason, it’s critical that you do your due diligence when assessing your vendor’s security controls.
Vendor due diligence is the process of ensuring that your third parties aren’t a source of unwarranted risk – essentially, vendor due diligence is an audit. The process of due diligence covers all types of risk — business, legal, financial, and cyber risk.
When it comes to cyber risk, you’re determining that your third parties’ security controls are on par with your own, and that they’re not providing cyber criminals with easy access to your networks, systems, or data. If your vendor is specifically providing IT services, you’ll have to undertake additional due diligence — because they’ll be handling your data, you should have the right to audit their security measures. You should also know how they plan to respond to breaches and if they’ve experienced breaches in the past.
When you request information about a vendor’s controls, they often respond with a SSAE 16 (Statement on Standards for Attestation Engagements) report, which is delivered in the form of Service Organization Controls (SOC) report. These can be long, and the vendor has discretion over which type of SOC report can be submitted and what can be covered in it.
The Cybersecurity Framework set forth by NIST (National Institute of Standards and Technology) is a system designed to help private companies identify, prevent and respond to cyber risks. Its core material is divided into five major functions:
Each of those functions is divided into a total of 23 categories, which are further broken down into cybersecurity outcomes and security controls. (For example, Risk Assessment is an outcome in the Identify category.)
It’s a structured way to examine cybersecurity risks and controls, and used properly, NIST’s Cybersecurity Framework can be a tool that will help you sort through your SOC reports quickly and easily.
Normally, when you’re conducting a SSAE 16 review, you look for findings without adequate management responses, and provide complementary user entity controls to the system owner or to IT.
This can take time, and there’s not a lot of structure to it. The Cybersecurity Framework lets you search each report in a structured way.
This will let you search the report efficiently, checking the vendor’s reports for response plans, risk assessment, and other necessary risk objectives, while making sure you move through the framework in an orderly manner.
Vendors are an important part of your business, but when you work with a third party, their risk becomes your risk. To reduce the amount of administrative time and effort spent managing third party relationships, consider a tool that automates parts of the process.
SecurityScorecard’s Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload your vendors’ responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately. Our easy-to-read Security Ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your vendor risk management program.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.