You can’t go more than a few weeks (or sometimes a few days) without hearing about yet another company whose data was compromised after hackers gained access through a third-party vendor. These attacks show that it’s no longer enough to secure only your own network from cyber attacks—you have to ensure your vendor networks are secured as well.
To ensure that you’re protected from vendor risks—particularly as they apply to cybersecurity—follow the five steps below.
1. List all of your vendors and third parties.
Don’t write this step off as being simplistic; no vendor relationship should be considered inconsequential. With the help of department heads around your organization, make a thorough list of every vendor, third party, contractor, business unit, and partner you work with, no matter how minor the connection may seem.
2. Tier the listed vendors based on criticality.
Based on the impact a breach would have on your company, sort vendors into three categories—high, medium, and low risk. You’ll have to determine the assessment criteria yourself, but you should consider the following for certain:
- How much access the vendor has to your data.
- The sensitivity of the data your vendor has access to.
- How critical the vendor’s work is to your daily operations.
3. Assess the security of your most critical vendors.
At this point, you know which vendors you consider highest risk—emphasize security assessments for those vendors first. There are a few ways you can go about assessing their security:
- Perform a technical scan. Penetration tests and vulnerability scans provide a deep, technical analysis of your vendor’s network.
- Ask them to fill out a questionnaire. Many companies use standard vendor questionnaire lists like those from Shared Assessments to start, then add additional questions specific to their own organization.
- Send someone to do an on-site visit. A representative from your organization may interview the vendor personally based on questions from ISO 27001 or NIST Special Publication 800-53 to get a better understanding of that vendor’s security.
Note: These assessment methods are common and will help you examine supplier risks to a degree—but they aren’t without their flaws. This article goes into more detail on why traditional vendor risk management strategies fall short, and why continuous monitoring software—which we’ll discuss on later in the article—is so important.
4. Make sure all your vendor contracts clearly define cybersecurity expectations.
If your cybersecurity expectations for your third parties aren’t crystal clear, you’re increasing your vendor risk dramatically. Consider what you want your vendors to be held accountable for, and work with your legal team to ensure all future contracts lay out these expectations clearly. For example, you may want to hold your vendors to an industry-specific compliance standard or add breach notification requirements. You’ll also need to return to previous contracts to ensure this language is present, and renegotiate those where it is not.
5. Use ongoing monitoring software for the highest level of protection.
As we mentioned, traditional vendor risk management strategies like penetration tests and questionnaires have their merits and shouldn’t be discounted—but these tools can only capture the security of a vendor at the moment the test is performed. Cybersecurity is constantly evolving—which is why employing the use of a continuous monitoring tool like BitSight is so important. When you use BitSight’s Security Ratings, you’ll know almost immediately when a vendor’s network changes so they can begin remediating any issues right away.
Want a list of the questions you should be asking your vendors?
This free guide outlines just that, along with risk vectors and configurations you should know about, and more. Download it today to keep your vendor risk initiatives going strong!