<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

Vendor Risks: 5 Ways To Improve Third-Party Cybersecurity

Jake Olcott | November 30, 2017

You can’t go more than a few weeks (or sometimes a few days) without hearing about yet another company whose data was compromised after hackers gained access through a third-party vendor. These attacks show that it’s no longer enough to secure only your own network from cyber attacks—you have to ensure your vendor networks are secured as well.

Streamline your vendor risk management process with these tools and techniques.

To ensure that you’re protected from vendor risks—particularly as they apply to cybersecurity—follow the five steps below.

Vendor Risks: 5 Ways To Improve Third-Party Cybersecurity security

1. List all of your vendors and third parties. 

Don’t write this step off as being simplistic; no vendor relationship should be considered inconsequential. With the help of department heads around your organization, make a thorough list of every vendor, third party, contractor, business unit, and partner you work with, no matter how minor the connection may seem.

2. Tier the listed vendors based on criticality. 

Based on the impact a breach would have on your company, sort vendors into three categories—high, medium, and low risk. You’ll have to determine the assessment criteria yourself, but you should consider the following for certain:

  • How much access the vendor has to your data.
  • The sensitivity of the data your vendor has access to.
  • How critical the vendor’s work is to your daily operations.

3. Assess the security of your most critical vendors.

At this point, you know which vendors you consider highest risk—emphasize security assessments for those vendors first. There are a few ways you can go about assessing their security:

  • Perform a technical scan. Penetration tests and vulnerability scans provide a deep, technical analysis of your vendor’s network.
  • Ask them to fill out a questionnaire. Many companies use standard vendor questionnaire lists like those from Shared Assessments to start, then add additional questions specific to their own organization.
  • Send someone to do an on-site visit. A representative from your organization may interview the vendor personally based on questions from ISO 27001 or NIST Special Publication 800-53 to get a better understanding of that vendor’s security.

Note: These assessment methods are common and will help you examine supplier risks to a degree—but they aren’t without their flaws. This article goes into more detail on why traditional vendor risk management strategies fall short, and why continuous monitoring software—which we’ll discuss on later in the article—is so important.

4. Make sure all your vendor contracts clearly define cybersecurity expectations.

If your cybersecurity expectations for your third parties aren’t crystal clear, you’re increasing your vendor risk dramatically. Consider what you want your vendors to be held accountable for, and work with your legal team to ensure all future contracts lay out these expectations clearly. For example, you may want to hold your vendors to an industry-specific compliance standard or add breach notification requirements. You’ll also need to return to previous contracts to ensure this language is present, and renegotiate those where it is not.

5. Use ongoing monitoring software for the highest level of protection.

As we mentioned, traditional vendor risk management strategies like penetration tests and questionnaires have their merits and shouldn’t be discounted—but these tools can only capture the security of a vendor at the moment the test is performed. Cybersecurity is constantly evolving—which is why employing the use of a continuous monitoring tool like BitSight is so important. When you use BitSight’s Security Ratings, you’ll know almost immediately when a vendor’s network changes so they can begin remediating any issues right away.

Want a list of the questions you should be asking your vendors?

This free guide outlines just that, along with risk vectors and configurations you should know about, and more. Download it today to keep your vendor risk initiatives going strong!


Suggested Posts

Streamline Your Bank's Third-Party Vendor Management Risk Assessments

Banks and other financial institutions are a proving ground for new risk management methods. High risk and intense regulations feed into a culture of serious, comprehensive security — a culture that has manifested in mature methodologies...


Should Cybersecurity Have a Voice in Vendor Procurement?

Business leaders now realize that their data is being exposed to risk by their vendors, and that monitoring and remediating these threats is a necessary part of an effective cybersecurity program.

However, even companies with strong vendor...


Fact or Fiction (Part 3): How Security Ratings Play a Role in Third-Party Risk Management

Over the course of this blog series, we’ve addressed some of the major concepts surrounding third-party risk, as well as addressed some misconceptions. In this final post, we’ll continue to examine the last three of the top notions...


Subscribe to get security news and updates in your inbox.