<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

Vendor Risks: 5 Ways To Improve Third-Party Cybersecurity

Jake Olcott | November 30, 2017

You can’t go more than a few weeks (or sometimes a few days) without hearing about yet another company whose data was compromised after hackers gained access through a third-party vendor. These attacks show that it’s no longer enough to secure only your own network from cyber attacks—you have to ensure your vendor networks are secured as well.

Streamline your vendor risk management process with these tools and techniques.

To ensure that you’re protected from vendor risks—particularly as they apply to cybersecurity—follow the five steps below.

Vendor Risks: 5 Ways To Improve Third-Party Cybersecurity security

1. List all of your vendors and third parties. 

Don’t write this step off as being simplistic; no vendor relationship should be considered inconsequential. With the help of department heads around your organization, make a thorough list of every vendor, third party, contractor, business unit, and partner you work with, no matter how minor the connection may seem.

2. Tier the listed vendors based on criticality. 

Based on the impact a breach would have on your company, sort vendors into three categories—high, medium, and low risk. You’ll have to determine the assessment criteria yourself, but you should consider the following for certain:

  • How much access the vendor has to your data.
  • The sensitivity of the data your vendor has access to.
  • How critical the vendor’s work is to your daily operations.

3. Assess the security of your most critical vendors.

At this point, you know which vendors you consider highest risk—emphasize security assessments for those vendors first. There are a few ways you can go about assessing their security:

  • Perform a technical scan. Penetration tests and vulnerability scans provide a deep, technical analysis of your vendor’s network.
  • Ask them to fill out a questionnaire. Many companies use standard vendor questionnaire lists like those from Shared Assessments to start, then add additional questions specific to their own organization.
  • Send someone to do an on-site visit. A representative from your organization may interview the vendor personally based on questions from ISO 27001 or NIST Special Publication 800-53 to get a better understanding of that vendor’s security.

Note: These assessment methods are common and will help you examine supplier risks to a degree—but they aren’t without their flaws. This article goes into more detail on why traditional vendor risk management strategies fall short, and why continuous monitoring software—which we’ll discuss on later in the article—is so important.

4. Make sure all your vendor contracts clearly define cybersecurity expectations.

If your cybersecurity expectations for your third parties aren’t crystal clear, you’re increasing your vendor risk dramatically. Consider what you want your vendors to be held accountable for, and work with your legal team to ensure all future contracts lay out these expectations clearly. For example, you may want to hold your vendors to an industry-specific compliance standard or add breach notification requirements. You’ll also need to return to previous contracts to ensure this language is present, and renegotiate those where it is not.

5. Use ongoing monitoring software for the highest level of protection.

As we mentioned, traditional vendor risk management strategies like penetration tests and questionnaires have their merits and shouldn’t be discounted—but these tools can only capture the security of a vendor at the moment the test is performed. Cybersecurity is constantly evolving—which is why employing the use of a continuous monitoring tool like BitSight is so important. When you use BitSight’s Security Ratings, you’ll know almost immediately when a vendor’s network changes so they can begin remediating any issues right away.

Want a list of the questions you should be asking your vendors?

This free guide outlines just that, along with risk vectors and configurations you should know about, and more. Download it today to keep your vendor risk initiatives going strong!


Suggested Posts

Making the Case for Vendor Security to the C-Suite

You’re responsible for information security at your organization. You dedicate yourself every day to identifying weaknesses and patching vulnerabilities in your network. You’ve developed policies to protect employees from cyber threats....


8 Recent, Dangerous Ransomware Examples

The threat of ransomware is rapidly increasing.


A Breakdown Of Terms In The General Data Protection Regulation (GDPR)

If your company processes the data of individuals who reside in the European Union, the General Data Protection Regulation (GDPR) is likely a hot topic around the office right now. Once the regulation goes into effect in May 2018,...


Subscribe to get security news and updates in your inbox.