Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions
The past year has seen an influx of ransomware attacks on prominent businesses, large-scale government breaches, and hacks of critical infrastructure. While globalization has brought about unprecedented economic gains, it has also complicated business resilience and risk management for most organizations.
Today, a single cyberattack can impact entire supply chains. For instance, in the recent Kaseya ransomware attack, criminals leveraged an exposure in the software vendor’s network management solution to first compromise several managed services providers, using the compromised MSPs as a stepping stone to target several hundred small and medium-sized businesses.
Building a practical cyber risk monitoring program can help to identify security exposures in your supply chain, ensure regulatory compliance, and reduce the risk of severe disruptions from third-party vendors.
Cyber risk monitoring is the practice of regularly evaluating third-party vendors to ensure that their cybersecurity policies align with best practices and don't pose an unacceptable risk to your organization. Cyber risk monitoring is a piece of a broader third-party monitoring program.
Organizations monitor their vendors based on various criteria, including financial health, ESG risks, and contract performance. Monitoring vendors for cybersecurity risk typically consists of several constituent elements to include:
Data Breach Monitoring
Exposed Credentials Monitoring
Routine Vendor Risk Assessment Questionnaires
Many organizations assume that they can effectively mitigate their cyber risk if they build a robust internal information security program. However, in recent years, malicious actors have increasingly targeted third-party contractors and vendors with access to critical systems and sensitive data at other, larger organizations. By hijacking a vendor's access to their customers and business partners, attackers can bypass otherwise complex and well-funded security programs..
Third-party data breaches are becoming an increasing problem for organizations both large and small. A cybersecurity incident at a third- or fourth-party supplier can jeopardize proprietary information, customer data, employee data, and more. Continuous monitoring can alert you to exposed vendor credentials or lapses in cybersecurity that could lead to a data breach down the road.
Companies are under an increasing array of cybersecurity and data protection compliance requirements. In many cases, compliance requirements have strict provisions relating to how data is shared with third parties and information security requirements. Sharing sensitive, regulated information with an insecure vendor can result in fines, penalties, and potentially legal consequences for both your organization and the vendor.
For example, under HIPAA, vendors dealing with PHI are classified as business associates. This requires them to employ the same procedures and cybersecurity safeguards as the prime organization. If a HIPAA business associate fails to meet compliance requirements, both the healthcare organization and third-party vendor can be held liable with steep fines.
Here are some additional regulations and standards have specific requirements for monitoring third-party cyber risk:
Not all vendors require access to sensitive or regulated information. However, it can still be helpful to understand their security posture if they have any level of access to information systems or work on-premises. In many cases, vendors' cybersecurity profiles change as their organizations adopt new standards, change software, purchase other companies, and expand. Conducting ongoing monitoring throughout the lifecycle of the relationship can help prevent surprises that the initial vendor risk questionnaire wouldn’t capture.
For example, Target was the victim of a data breach in 2013 that exposed PII (Personally Identifiable Information) to tens of millions of their customers. The breach was caused by an HVAC vendor, not the type of company that would typically receive detailed vetting. Understanding a vendor's cybersecurity posture and continuously monitoring for breaches can help your organization decide which systems and information to get access to and formulate controls to reduce the risk of a breach.
Free Third-Party Risk Monitoring Report
Get a complimentary Prevalent Vendor Threat Monitor (VTM) report for your organization or a third party of your choice.
We’ve established the importance of monitoring your third-, fourth- and Nth-party vendors for cyber risk. But how do you conceptualize effectively monitor vendors for cyber risk in our increasingly interconnected and complex world? Here are the steps you need to take to build a robust cyber risk monitoring system that can alert you to issues before you fail a compliance audit or experience a data breach.
Every vendor you work with poses a certain level of risk to your organization. It is up to you to define which risks you are comfortable with, and ensure that vendors are given security ratings that accurately reflect the level of risk they pose to your operations and sensitive data. In many cases, you may need to require vendors to reduce their level of risk until their residual risk is acceptable. Take a look at our post on inherent versus residual risk for more information on conceptualizing vendor risk.
Vendor Risk Questionnaires are critical for third-party onboarding vendors. Particularly when vendors will have access to sensitive data or when your organization operates under numerous compliance requirements. Vendor Risk Questionnaires may cover topics such as financial health, operational stability, ESG, and other concerns, but cybersecurity is one of the most critical components. Some questions you might consider including:
Does your organization have any third-party information security certifications such as SOC2, ISO27001, or CMMC?
Does your organization adhere to a specific cybersecurity framework or model?
Does your organization have an in-house cybersecurity team or work with an outside IT Service Provider or Managed Security Services Provider?
Using Third-Party Risk Management Software can enable you to quickly and easily create questionnaires based on a library of dozens of customizable templates. For vendors with particularly high-risk profiles or dealing with large amounts of your organization’s sensitive data, you may consider conducting routine vendor assessment questionnaires. Check out our blog on vendor risk assessment questionnaire best practices for more information.
Before onboarding a new vendor, be sure to gather information about data breaches they have experienced, including information about affected systems and records – plus remediations and mitigations. Then, be sure to continuously monitor for news and evidence of new data breaches. For instance, dark web scanning is quickly becoming a critical part of third-party risk management. In many cases, organizations will have exposed emails and passwords for sale on the dark web that they are unaware of and could easily lead to a data breach or security incident. Fortunately, specific scanning for exposed credentials is easy and can provide valuable insight into whether the organization has already experienced a data breach or has poor user management practices. Prevalent offers dark web scanning and data breach reporting as part of its vendor risk monitoring solution.
In many cases vendors may require onsite access to IT assets to complete contracted work. However, cybersecurity risk doesn’t stop once the vendor leaves the building. You should ensure that your organization has clear policies in place to govern what access the vendor has to your information technology assets. It is important to remember that vendor mistakes or data breaches can ultimately become your responsibility, especially with specific compliance requirements.
Executive Brief: How to Get More from Third-Party Risk Scores
Discover how to build a more comprehensive, actionable and cost-effective vendor risk monitoring program.
You can reduce your exposure to third-party cybersecurity threats by incorporating these best practices into your program:
Questionnaire-based cybersecurity assessments are typically completed once or twice a year. Complementing periodic assessments with continuous cyber risk monitoring enables you to stay on top of changes in vendor cyber risk posture as new threats emerge. Monitoring a vendor’s cybersecurity performance also enables you to validate their assessment responses against externally observable evidence of data breaches and other incidents. By implementing a robust third-party risk monitoring solution, you can manage the vendor risk management lifecycle with confidence and respond to security gaps, compliance issues, and potential data breaches before they impact your business.
The past doesn’t necessarily predict the future, but it can provide insight into how seriously an organization takes cybersecurity. If an organization has experienced numerous data breaches in the recent past, it may serve as a good indicator that your organization's data could become compromised.
You should employ the principle of least privilege for every vendor that you work with. Ensure that they are only provided access to critical systems and data required to perform their work. While the vendor conducts their work, confirm that you have adequate monitoring in place to ensure that they aren’t accessing unnecessary systems or data. Finally, make sure that you have an effective vendor offboarding program in place to revoke access upon completion.
Vendors with robust cybersecurity programs who aren’t dealing with sensitive information may require less monitoring than vendors working with customer information or trade secrets. Be sure to profile, categorize and tier third parties according to their inherent risk during the vendor onboarding process. This will make it easy for you to determine the frequency and scope of risk assessments, as well as the level of monitoring that you need to perform for each vendor. As a result, you will use your resources wisely and scale your cyber monitoring activities to the risk the vendor represents.
Building an effective cyber risk monitoring program has never been more important. Prevalent makes it easy to manage third-party and fourth-party risk throughout your supply chain. Our vendor risk management platform combines continuous cyber risk monitoring with business, financial and reputation monitoring – coupled with automated vendor risk assessment capabilities for a 360-degree view of vendor risk. Request a demo today to see if Prevalent is a fit for you.
Here are 7 ways to leverage machine learning analytics and reporting in your third-party risk management program.
Consider these best practices to limit your risk exposure when offboarding vendors and suppliers.
Software supply chain attacks are driving new efforts to standardize software bills of materials. Here are...