Posted on Jan 3, 2019
Increasingly, companies are working with third-party vendors to streamline business operations. Whether it’s cloud migration to ease workload strains or using a Software-as-a-Service, adding new vendors to your network increases the number of people who interact with your data.
It's not just your vendors who gain access to your data: Their third-party business partners gain access as well. This is why it is essential that you research all vendors and partners before inviting them into your data environment. With security ratings, you gain valuable insights into business operations so that you can better understand complex third-party relationships and enable stronger business outcomes. In a time where sound third-party partnerships are critical to business success, access to security ratings can help bolster these relationships and maintain security.
While your business partners may be trustworthy, they may not always be aware of what’s happening in the constantly evolving cyber world. In addition, even well-meaning business partners have no control over their partners’ vendors. While they should have service level agreements with their vendors, the contractual obligations do not extend to their vendors’ vendors. This intricate web of relationships makes it difficult to verify whether or not a third-party vendor is taking adequate steps to monitor compliance and ensure security. Reviewing your vendor’s SOC report gives you a single moment-in-time insight into their control effectiveness. The issue is that these reports do not accurately assess security since threat actors do not limit their attack methodologies to a single period of time. The same moment-in-time limitations exist with external audits or internal self-assessments. Thus, what might be considered a strong security control today can be outdated tomorrow.
Moreover, many security updates, such as security patches, require companies to review their controls regularly. A single missed security patch can lead to a data breach, despite a strong audit or SOC report. This is why it is essential that you do your due diligence during the merger and acquisition phase to make sure all vendors have comprehensive security controls in place. Security ratings enable the due diligence process by providing insights into vendor strengths and weaknesses, giving you complete visibility into vendor security postures, and enabling the development of a well-thought-out business partnership plan.
Security ratings take into account a variety of data controls that allow you to accurately assess a vendor’s security posture. With a holistic view of a vendor’s security infrastructure, you can actively manage third-party risk and build trust in your business relationships.
Security ratings measure security ecosystems across ten groups of risk factors using an A-F ratings scale. If a business partner has a security rating of "F”, they are 7.7 more likely to suffer a data breach than companies with an A. These metrics also allow you to drill down into specifics - this way, you can come up with a plan for partner risk remediation should you want to go forward in the business relationship.
Moreover, security ratings take into account a variety of controls giving you metrics that provide insight into the effectiveness of specific controls. Reviewing network security, DNS health, patching cadence, endpoint security, IP reputation, web application security, hacker chatter, leaked credentials, and social engineering scores provides greater insight into a business partner’s strengths and weaknesses. By reviewing the individual scores, you can better evaluate your business relationship.
Even if your business partner’s score is strong, their vendors may put your data at risk. Increased interconnectedness creates a data ecosystem that can become difficult to track and manage. Even if your vendor has secured their data environment to an acceptable degree, their vendor may not have, opening the door to potential data security risks. Finding a security ratings platform that provides insight into the entire chain of business relationships creates stronger cybersecurity protection. With the visibility gained from a fourth-party security rating, you can determine whether your vendor’s relationships put your data at risk. If the fourth party’s security rating does not align to your risk tolerance, you may want to seek a new business partner or discuss options for addressing security gaps with the affected vendor.
You’ve done your own due diligence. Your security control effectiveness earns you a security rating of A. However, you reviewed your vendor’s score, and they’re only earning a C. This gap between your score and your vendor’s score means that they do not necessarily align to your security risk tolerance. Navigating this gap means understanding that security ratings continuously update to provide an effective review of ongoing threat mitigation and response strategies. Below are three steps you can take to effectively navigate the security ratings “gap”:
As part of the vendor risk management process, organizations need to assess and determine the amount of risk they’re willing to accept when contracting with a business partner. Moreover, the service level agreement needs to clearly outline the acceptable controls and management of those controls. This can be done by setting risk tolerance and appetite thresholds at your organization.
With SecurityScorecard, customers can set and manage expectations in-platform. When companies and their business partners both use SecurityScorecard, they can share expectations within the dashboard, allowing organizations to set a minimum expected rating as well as a timeline for suggested remediation activities in one single, shared location.
By clearly communicating expectations and sharing key performance indicators, businesses and their partners will be on the same page, able to maintain more secure systems and strengthen relationships.
An alert on a vendor's network indicates that a control is no longer effectively protecting their company’s systems, networks, and software. Typically, these alerts signal that there are new network threats that need to be addressed by the vendor. When there is an alert, it is important to monitor how your vendor responds to active threats. This will help you analyze the effectiveness of their security monitoring strategy and ensure that it is in line with the terms outlined in your service level agreements.
Security ratings allow you to clearly evaluate vendor threat response strategies. An organization who experiences a data event may have a “D” security rating for network security at the time the event occurs. Since security ratings update regularly, you can monitor the vendor for a rating change. If the security rating increases over time to “C” or “B”, then you know they responded appropriately to the event.
If a low security rating shows little or no change over time, the vendor’s security controls may no longer comply with your service level agreement requirements. You can then use the security rating metrics to evaluate and potentially terminate the contract if need be.
Vendor risk management becomes more complex as your third-parties contract with vendors for their businesses. While you may be able to monitor your own vendor’s security, you often have little control over how your vendors monitor their business partners. SecurityScorecard’s security ratings platform contains security rating information for over 1.5 million companies worldwide, enabling better data ecosystem oversight. With this information, you can ensure that your business partners manage their vendor risk in ways that align with your security risk tolerance. This allows you to take control over your own security by gaining visibility into previously obscured relationships.
Having visibility into your third-party ecosystem is essential to the success of your business partnerships. SecurityScorecard helps you take a holistic approach to vendor management by rating companies across 10 risk factors including application security, network security, DNS health, patching cadence, endpoint security, IP reputation, web application security, cubit score, hacker chatter, leaked credentials, and social engineering. This helps you to drill down into specifics within each factor, and work with vendors to make sure each risk is addressed.
By aligning your service level agreements with SecurityScorecard’s ten major risk factors, you gain insight into your business partners’ risk ecosystem, allowing you to more accurately evaluate partner relationships. This lays the groundwork for establishing stronger business relationships as you can then work with your partners on an ongoing basis to address any vulnerabilities or risks identified on their networks.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.