Posted on Jan 3, 2019
Increasingly, companies add new third party vendors to enable business operations. Whether it’s cloud migration to ease workload strains or using a Software-as-a-Service, you’re inviting more people to interact with your data. However, you’re just not just inviting your vendors, you’re also including their their third party business partners. Business operations today are similar to hosting a party and allowing friends to bring a plus one. If your vendor is bringing their third-party business partner, you want to research them before inviting them into your data environment. Security ratings allow you to strengthen business relationships by giving you the information you need to review the integrated relationships that enable stronger business outcomes.
Business relationships used to rely on a handshake and good will. While your business partners may be trustworthy, they may not always know what’s happening in a constantly evolving cyber world. Additionally, well-meaning business partners have no control over their partners’ vendors. While they have, or should have, service level agreements with their vendors, the contractual obligations do not extend to their vendors’ vendors. This intricate web of relationships means that you need to support your trust with verification.
Security ratings offer insight into the often obfuscated world of vendor data controls. Reviewing your vendor’s SOC report gives you a single moment-in-time insight into their control effectiveness. The same moment-in-time limitations exist with external audits or internal self-assessments. Malicious actors don’t limit their attack methodologies to a single period of time, they update them continuously. Thus, what might be considered a strong security control today can be outdated tomorrow. Moreover, many controls, such as applying security patches, require companies to review their controls regularly. A single missed security patch can lead to a data leak or data breach, despite a strong audit or SOC report. However, security ratings update continuously, providing you insight into strengths and weaknesses over time.
Security ratings take into account a variety of data controls that allow you to build trust. Any relationship, personal or business, requires trust. However, business relationships require verification of that trust.
Security ratings offer metrics for evaluating your relationships. If a business partner has a security rating “B”, they are above average in securing data. If they have a “D”, they are below average. Companies with a “D” or “F” rating are 5.4 times more likely to be victims of data breaches than those with an “A” or “B” rating. These metrics also allow you to drill down into specifics.
Moreover, security ratings take into account a variety of controls giving you metrics that provide insight into the effectiveness of specific controls. Reviewing network security, DNS health, patching cadence, endpoint security, IP reputation, web application security,hacker chatter, leaked credentials, and social engineering scores provides greater insight into a business partner’s strengths and weaknesses. By reviewing the individual scores, you can better evaluate your business relationship.
For example, if a business partner’s patching cadence score is low, it means that they don’t update their systems, networks, and software within a specified time frame, often 30 days or more. While all the other controls may be rated an A, this low patching cadence score lowers the overall score. Thus, you gain granular insight into the vendor’s controls.
Even if your business partner’s score is strong, their vendors may put your data at risk. Increased interconnectedness creates a data ecosystem that can become unwieldy. Your vendor has vendors, who have their own vendors.
Vendor relationships work the same way. Your vendor may secure their data environment to an acceptable degree, but their vendor may not. This fourth-party business partner can put your data at risk.
Thus, finding a security ratings platform that provides insight into the entire chain of business relationships creates stronger cybersecurity protection. By using the fourth party’s cybersecurity rating, you can determine whether your vendor’s relationships place your data at risk. If the fourth party’s security rating does not align to your risk tolerance, you may want to seek a new business partner.
You’ve done your own due diligence. Your security control effectiveness earns you a security rating of A. However, you reviewed your vendor’s score, and they’re only earning a C. This gap between your score and your vendor’s score means that they do not necessarily align to your security risk tolerance. Navigating this gap means understanding that security ratings continuously update that provide effective review of ongoing threat mitigation and response strategies.
As part of the vendor risk management process, organizations need to assess the amount of risk they’re willing to accept when contracting with a business partner. Moreover, the service level agreement needs to clearly outline the acceptable controls and management of those controls.
With SecurityScorecard, customers can do this within the platform. When companies and their business partners both use the platform, they can share these expectations within the dashboard. This allows organizations to set a minimum expected rating as well as timeline for suggested remediation activities in a single shared location.
Clearly communicating expectations and sharing key performance indicators, businesses and their partners can maintain more secure systems and build stronger relationships.
Service level agreements set expectations for the relationship while also defining actions that can lead to terminating the relationship. Alerts indicate that a control no longer effectively protects the company’s systems, networks, and software. In some cases, these alerts can arise out of new threats that need to be addressed. An alert may not automatically lead to a termination, but the way in which the vendor addresses the security flaw may be a breach of contract.
Security ratings allow you to clearly evaluate vendor threat response strategies. An organization who experiences a data event may have a D security rating for network security at the time the event occurs. Since security ratings update regularly, you can monitor the vendor for a rating change. If the security rating increases over time to a C or B, then you know they responded appropriately to the event.
If security rating shows little or no change over time, the vendor’s security controls may no longer comply with your service level agreement requirements providing metrics for evaluating termination of the contract.
Vendor risk management becomes more complex as your third-parties contract with vendors who enable their businesses. The extra degree of separation for these fourth-party business partners often seems unmanageable. While you may be able to monitor your own vendor’s security, you often feel as though you have no control over how your vendor monitors their business partners.
The SecurityScorecard platform contains security rating information for over 1 million companies worldwide. This information enables better data ecosystem oversight. If a vendor provides you a list of their third-parties, you can now maintain oversight over your fourth-party business partners.
With this information, you can ensure that your business partners manage their vendor risk in ways that align with your security risk tolerance. Moreover, you maintain more control over your own security by gaining visibility into previously obscured relationships.
SecurityScorecard’s machine learning technology rates companies across 10 Risk Factors including application security, network security, DNS health, patching cadence, endpoint security, IP reputation, web application security, cubit score, hacker chatter, leaked credentials, and social engineering. Our platform enables you to drill down into specifics within each factor, giving you the most granular view of how your ecosystem is performing. Additionally, we have more than 1 million companies rated in the platform providing more information to enable your business reviews, specifically those over fourth parties.
Our easy-to-read security ratings align to traditional grading systems of A through F, with A being the best. Thus, by aligning your service level agreements to the ten risk factors, you can create strong business relationships that effectively monitor your cybersecurity across your entire ecosystem, not just your own data environment.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen. The right vendor risk assessment template can be crafted to assure compliance with regulatory requirements.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.