To keep ahead of cyberattacks and breaches, security professionals might think they are doing all the right things. For example, you have rallied a team of experts to bolster the company’s IT infrastructure and equipped them with state-of-the-art threat detection and mitigation technologies. You have enrolled your employees in regular security awareness training courses, most of whom are passing simulated phishing tests with flying colors. In case something goes wrong, you are prepared with a step-by-step plan to respond to and minimize the impact. And so you sit, quietly confident that you have covered all your bases to fend off hackers and ensure that your business is secure. But is this really the case?
The truth of the matter is, organizations remain vulnerable as long as third-party security is left unaddressed. Businesses no longer operate as islands, but are interconnected with suppliers and experts to improve their products and services. While the benefits of this approach are abundant, it also introduces risk. If just one third-party partner falters on security, all organizations within the digital supply chain bear that risk.
That’s important, because the average organization has 182 vendors that connect to its systems each week, and according to a survey conducted by Deloitte, 83% of organizations have experienced a breach through a third party. According to IBM, the average cost of a data breach in 2020 was $3.86 million. In the last year alone, we witnessed a number of significant supply chain attacks that left thousands of businesses and government institutions to face repercussions, including SolarWinds, Accellion, Microsoft Exchange and Kaseya.
The limits of third-party security solutions
Unfortunately, many of today’s approaches for dealing with third-party security are simply not up to the task. The first route companies might take is the time-consuming and monotonous attempt to manually assess each vendor. Yet it’s not sustainable for security teams to spend time and effort chasing after vendors to reply to questions about their security posture. It can take weeks for vendors to respond, resulting in outdated assessments — not just from the time lapse, but because point-in-time assessments are outdated the minute they are completed. In short, this method would likely produce an inaccurate picture of supplier risk and leave an organization susceptible to a breach.
Some businesses opt for security rating services, which can be a great place to start with evaluating vendor security risk. These solutions provide ratings indicating how risky it is to do business with a third party, but unfortunately, it’s unlikely to take into account the context of the relationship.
Other businesses opt for automated security questionnaires. This option may enable faster turnaround than manual vendor security assessments, but it is not also without its flaws. Often, the questionnaires offered are not customized and fail to ask enough of the right questions. Moreover, they don’t take into account who the partner is and their role in relation to the business. Without this context, it becomes difficult to prioritize mitigation measures and respond appropriately.
So what features should security leaders look for in a third-party security management solution?
The third-party security management wishlist
The key is to find a platform that combines vendor security ratings with automated questionnaires that take into consideration the relationship with the vendor. Such a platform would provide questionnaire templates based on industry standards and also run external attack surface assessments to audit everything from email and DNS servers to cloud technologies, web applications and the presence of a dedicated security team. This combined approach provides a holistic and up-to-date view of your vendor security risk.
Equally important, such a solution must be automated. It should have the capability to send the questionnaires; identify cyber gaps; continuously monitor cyber posture; and alert relevant parties about any new issues. All this must be easy to track and, ideally, the platform should act as a communications and collaboration hub to streamline the entire vendor onboarding process. It should remove friction between teams and ensure that vendors are in alignment with your organization’s security controls, regulations and tolerance for risk. With such a solution, a business can claim back hours of valuable time; reduce costs; and scale its third-party security management program.
Ultimately, finding the right third-party security management solution means finding a partner that can help organizations achieve their end goal: avoiding a costly data breach. That way, security leaders won’t have to explain to the board, investors, customers and partners how such a thing could possibly happen when security protocols were in place to improve organizations’ security posture. By achieving that goal, security leaders may avoid damage to their company’s reputation, costly litigation and fines. At the end of the day, there’s no price you can put on peace of mind.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.