Best Practices for Third Party and Vendor Cybersecurity Risk Management

Hanan Bumpus of BitSight Technologies shares 5 strategies for reducing risk.

Cybersecurity has become an organization-wide effort, not a single individual’s job. Organizations simply do not have enough resources to keep up with the increasing and changing landscape of cybersecurity risks.

Notably, we are seeing a significant increase in attacks coming from third parties, such as data breaches through a business partner or other third parties. According to a 2017 Ponemon study sponsored by Opus, 56% of data breaches are attributed to third parties – and, in 2018, that number is up to 59%.

Third parties are harder to “control” as they are not your own organization, and it can be challenging to gain insight into their cybersecurity practices. At the same time, we are seeing an increase in third party vendors and suppliers due to the rise of outsourcing, which relies on data sharing and connectivity.

It’s a lot to take in – but one thing we can all agree on is that cybersecurity risk management is mission critical, regardless of regulatory environment or industry.

Creating a Cybersecurity Risk Management Strategy

Although cybersecurity challenges continue to evolve, a few high-level best practices can be distilled. Organizations that implement these best practices into their cybersecurity risk management will be better equipped to address risk surrounding vendors and third parties.

Build your cybersecurity risk management strategy to scale

Vendor risk needs to be managed in a way that scales to support business needs. The security landscape will continue to change, and demands will grow. Cybersecurity risk management programs must be built in a way that can avoid stagnation, including using agile approaches to detection and remediation. Focus on the right companies in your supply chain by  leveraging additional data and context. Every organization has a different risk appetite, which should align with business impact.

Proactively manage high-risk vendors

Companies must be able to identify and prioritize efforts on their highest risk vendors This can be achieved through independent third parties to validate questionnaires or risk assessments from vendors. Questionnaires are static, moment-in-time, and self-reported. Although questionnaires provide some level of insight into your vendors’ cybersecurity, they need to be validated through other data points on vendor performance.

Continuously monitor vendor security

Because security of your third parties can change in an instant, you can no longer wait for the annual risk and security assessment for the most up-to-date information on the cybersecurity of your vendors. Tools such as BitSight security ratings enable the continuous monitoring of the performance of third- and fourth-party vendors. Continuous monitoring not only equips you with the real-time knowledge of specific vendor performance, but also allows you to manage the  security performance of your entire vendor ecosystem.

Collaborate with vendors to reduce risk

Communication with your third parties is critical for effective collaboration and risk reduction. Companies need the ability to bridge the gap between cybersecurity incidents and communication with vendors in their ecosystem. Communication is a critical component of a good vendor cybersecurity risk management plan and includes defining clear workflow for dealing with changes in vendor risk posture and negative risk rating changes.   

Regularly report success to executives and board members

Share vendor risk management improvements with executives and the Board. This requires having a complete view of your vendor ecosystem and their performance over time (a year or more). To understand and ultimately improve your program, you must measure outcomes and demonstrate success through specific well-defined metrics. This includes using historical data to truly identify trends and patterns of concern, as well as a complete view of your ecosystem and its performance over time. Metrics that can be shared with the Board of Directors and other executives who can support your program are key to improvement.

It is increasingly difficult to identify relationships that are exposing companies to risk, and what those risks are. Increased regulatory scrutiny and requirements add to the challenges. Regulations, such as the New York Department of Financial Services Cybercrime Legislation, extend guidance to a firm’s third parties and requires clear programs and policies around defining and maintaining cybersecurity programs.

Further, the continuously evolving cybersecurity risk landscape and the increasing reliance on the exchange of data are affecting cybersecurity risk management around the globe. The best practices outlined above provide a high-level framework for thinking about how to best approach the challenges, and ultimately make security risk decisions with speed and effectiveness.

Learn more about how Opus and BitSight are working together to help companies develop holistic cybersecurity risk management.