Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Cyber Risk Monitoring: Steps to Take Now

A cyber risk monitoring program can help to identify security exposures in your supply chain, ensure regulatory compliance, and reduce the risk of severe disruptions from third-party vendors.
July 08, 2021
Blog cyber risk monitoring 0721

The past year has seen an influx of ransomware attacks on prominent businesses, large-scale government breaches, and hacks of critical infrastructure. While globalization has brought about unprecedented economic gains, it has also complicated business resilience and risk management for most organizations.

Today, a single cyberattack can impact entire supply chains. For instance, in the recent Kaseya ransomware attack, criminals leveraged an exposure in the software vendor’s network management solution to first compromise several managed services providers, using the compromised MSPs as a stepping stone to target several hundred small and medium-sized businesses.

Building a practical cyber risk monitoring program can help to identify security exposures in your supply chain, ensure regulatory compliance, and reduce the risk of severe disruptions from third-party vendors.

What Is Cyber Risk Monitoring?

Cyber risk monitoring is the practice of regularly evaluating third-party vendors to ensure that their cybersecurity policies align with best practices and don't pose an unacceptable risk to your organization. Cyber risk monitoring is a piece of a broader third-party monitoring program.

Organizations monitor their vendors based on various criteria, including financial health, ESG risks, and contract performance. Monitoring vendors for cybersecurity risk typically consists of several constituent elements to include:

  • Data Breach Monitoring

  • Exposed Credentials Monitoring

  • Compliance Monitoring

  • Routine Vendor Risk Assessment Questionnaires

What Are the Benefits of Third-Party Cybersecurity Risk Monitoring?

Many organizations assume that they can effectively mitigate their cyber risk if they build a robust internal information security program. However, in recent years, malicious actors have increasingly targeted third-party contractors and vendors with access to critical systems and sensitive data at other, larger organizations. By hijacking a vendor's access to their customers and business partners, attackers can bypass otherwise complex and well-funded security programs..

Reduce Third-Party Data Breach Risks

Third-party data breaches are becoming an increasing problem for organizations both large and small. A cybersecurity incident at a third- or fourth-party supplier can jeopardize proprietary information, customer data, employee data, and more. Continuous monitoring can alert you to exposed vendor credentials or lapses in cybersecurity that could lead to a data breach down the road.

Reduce Compliance Risks

Companies are under an increasing array of cybersecurity and data protection compliance requirements. In many cases, compliance requirements have strict provisions relating to how data is shared with third parties and information security requirements. Sharing sensitive, regulated information with an insecure vendor can result in fines, penalties, and potentially legal consequences for both your organization and the vendor.

For example, under HIPAA, vendors dealing with PHI are classified as business associates. This requires them to employ the same procedures and cybersecurity safeguards as the prime organization. If a HIPAA business associate fails to meet compliance requirements, both the healthcare organization and third-party vendor can be held liable with steep fines.

Here are some additional regulations and standards have specific requirements for monitoring third-party cyber risk:

Understand Security Posture Throughout the Vendor Lifecycle

Not all vendors require access to sensitive or regulated information. However, it can still be helpful to understand their security posture if they have any level of access to information systems or work on-premises. In many cases, vendors' cybersecurity profiles change as their organizations adopt new standards, change software, purchase other companies, and expand. Conducting ongoing monitoring throughout the lifecycle of the relationship can help prevent surprises that the initial vendor risk questionnaire wouldn’t capture.

For example, Target was the victim of a data breach in 2013 that exposed PII (Personally Identifiable Information) to tens of millions of their customers. The breach was caused by an HVAC vendor, not the type of company that would typically receive detailed vetting. Understanding a vendor's cybersecurity posture and continuously monitoring for breaches can help your organization decide which systems and information to get access to and formulate controls to reduce the risk of a breach.

Free Third-Party Risk Monitoring Report

Get a complimentary Prevalent Vendor Threat Monitor (VTM) report for your organization or a third party of your choice.

Request Your Report
Feature risk report

Building Your Cybersecurity Risk Monitoring Program

We’ve established the importance of monitoring your third-, fourth- and Nth-party vendors for cyber risk. But how do you conceptualize effectively monitor vendors for cyber risk in our increasingly interconnected and complex world? Here are the steps you need to take to build a robust cyber risk monitoring system that can alert you to issues before you fail a compliance audit or experience a data breach.

1. Define Your Level of Acceptable Risk

Every vendor you work with poses a certain level of risk to your organization. It is up to you to define which risks you are comfortable with, and ensure that vendors are given security ratings that accurately reflect the level of risk they pose to your operations and sensitive data. In many cases, you may need to require vendors to reduce their level of risk until their residual risk is acceptable. Take a look at our post on inherent versus residual risk for more information on conceptualizing vendor risk.

2. Utilize Vendor Risk Questionnaires

Vendor Risk Questionnaires are critical for third-party onboarding vendors. Particularly when vendors will have access to sensitive data or when your organization operates under numerous compliance requirements. Vendor Risk Questionnaires may cover topics such as financial health, operational stability, ESG, and other concerns, but cybersecurity is one of the most critical components. Some questions you might consider including:

  • Does your organization have any third-party information security certifications such as SOC2, ISO27001, or CMMC?

  • Does your organization adhere to a specific cybersecurity framework or model?

  • Does your organization have an in-house cybersecurity team or work with an outside IT Service Provider or Managed Security Services Provider?

Using Third-Party Risk Management Software can enable you to quickly and easily create questionnaires based on a library of dozens of customizable templates. For vendors with particularly high-risk profiles or dealing with large amounts of your organization’s sensitive data, you may consider conducting routine vendor assessment questionnaires. Check out our blog on vendor risk assessment questionnaire best practices for more information.

3. Monitor for Data Breaches and Exposed Credentials

Before onboarding a new vendor, be sure to gather information about data breaches they have experienced, including information about affected systems and records – plus remediations and mitigations. Then, be sure to continuously monitor for news and evidence of new data breaches. For instance, dark web scanning is quickly becoming a critical part of third-party risk management. In many cases, organizations will have exposed emails and passwords for sale on the dark web that they are unaware of and could easily lead to a data breach or security incident. Fortunately, specific scanning for exposed credentials is easy and can provide valuable insight into whether the organization has already experienced a data breach or has poor user management practices. Prevalent offers dark web scanning and data breach reporting as part of its vendor risk monitoring solution.

4. Monitor the Vendor When Onsite or When Accessing Your IT Environment

In many cases vendors may require onsite access to IT assets to complete contracted work. However, cybersecurity risk doesn’t stop once the vendor leaves the building. You should ensure that your organization has clear policies in place to govern what access the vendor has to your information technology assets. It is important to remember that vendor mistakes or data breaches can ultimately become your responsibility, especially with specific compliance requirements.

Executive Brief: How to Get More from Third-Party Risk Scores

Discover how to build a more comprehensive, actionable and cost-effective vendor risk monitoring program.

Read Now
White paper get more third party risk scores 1120

Cyber Monitoring Best Practices

You can reduce your exposure to third-party cybersecurity threats by incorporating these best practices into your program:

Conduct Continuous Third-Party Monitoring

Questionnaire-based cybersecurity assessments are typically completed once or twice a year. Complementing periodic assessments with continuous cyber risk monitoring enables you to stay on top of changes in vendor cyber risk posture as new threats emerge. Monitoring a vendor’s cybersecurity performance also enables you to validate their assessment responses against externally observable evidence of data breaches and other incidents. By implementing a robust third-party risk monitoring solution, you can manage the vendor risk management lifecycle with confidence and respond to security gaps, compliance issues, and potential data breaches before they impact your business.

Scrutinize Past Cybersecurity Performance

The past doesn’t necessarily predict the future, but it can provide insight into how seriously an organization takes cybersecurity. If an organization has experienced numerous data breaches in the recent past, it may serve as a good indicator that your organization's data could become compromised.

Employ the Principle of Least Privilege

You should employ the principle of least privilege for every vendor that you work with. Ensure that they are only provided access to critical systems and data required to perform their work. While the vendor conducts their work, confirm that you have adequate monitoring in place to ensure that they aren’t accessing unnecessary systems or data. Finally, make sure that you have an effective vendor offboarding program in place to revoke access upon completion.

Adapt Your Program Based on Risk Profile

Vendors with robust cybersecurity programs who aren’t dealing with sensitive information may require less monitoring than vendors working with customer information or trade secrets. Be sure to profile, categorize and tier third parties according to their inherent risk during the vendor onboarding process. This will make it easy for you to determine the frequency and scope of risk assessments, as well as the level of monitoring that you need to perform for each vendor. As a result, you will use your resources wisely and scale your cyber monitoring activities to the risk the vendor represents.

Next Steps for Ensuring Third-Party Vendor Cybersecurity

Building an effective cyber risk monitoring program has never been more important. Prevalent makes it easy to manage third-party and fourth-party risk throughout your supply chain. Our vendor risk management platform combines continuous cyber risk monitoring with business, financial and reputation monitoring – coupled with automated vendor risk assessment capabilities for a 360-degree view of vendor risk. Request a demo today to see if Prevalent is a fit for you.

Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors and suppliers throughout the third-party lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo