Everyone makes mistakes. But when it comes to vendor security risk management, it’s best to avoid them completely.
Not a week goes by when we don’t hear about massive third-party data breaches and the unfortunate consequences that follow. Breached companies face hefty regulatory penalties, a loss of customer trust and sometimes even bankruptcy as a result. To prevent such disastrous cyber incidents, it’s essential for companies to engage in effective third-party vendor risk management to check for potential cybersecurity problems.
What kinds of cybersecurity vendor management mistakes should companies avoid? Below are five important examples.
1. Not knowing your vendors
Many companies are not even aware of how many vendors they are connected to, which is a significant problem. At one company with hundreds of suppliers, Panorays discovered an additional 5% that the company did not know about.
Obviously, you can’t protect your company from vendor cyber mishaps if you don’t know who your vendors are. For this reason, it’s important to uncover all supply chain relationships, ideally using an asset discovery tool, and to evaluate and continuously monitor them. By doing so, you can pinpoint any security issues within the supply chain that can be fixed before cybercriminals take advantage of them.
2. Making assumptions about the security of your vendors
You may think that if a vendor is well-known, it’s likely to be secure. Or you may believe that a small company’s risk level is probably low or average. In both cases, you may very well be mistaken.
Many evaluators mistakenly do not recognize the need to continuously monitor low-risk business partners, such as marketing tools. However, we’ve seen that risk can easily come from such “low-risk” business partners.
Vendors of all sizes and all reputations can be vulnerable to attacks. Research found that nearly one-third of US management firms, considered critical suppliers, were running old versions of CMS.
While it’s true that some businesses may pose less of a risk because of their unique business relationship with your company, doing business with any vendor poses some risk to a company. What’s necessary is to determine the level of risk and how it can be effectively managed through vendor risk monitoring.
3. Overlooking third-party GDPR requirements
If your third-party vendors are based in the United States, you might think that you don’t need to worry about GDPR compliance—and you would be wrong.
Any organization that has an establishment or offices in Europe, does business in Europe by offering goods or services to people in the EU, or monitors the behavior of people in the EU must not only comply with GDPR’s many requirements, but is also responsible for ensuring that its third parties do so as well. Organizations that don’t comply—or whose third parties don’t comply—can, in certain cases, be fined as much as 4% of global annual revenue, or €20 million, whichever is greater.
For these reasons, it’s crucial to check your third parties’ GDPR compliance as part of any vendor security assessment.
4.Forgetting fourth parties
You may think that because a vendor performs due diligence and has documentation showing that it is safe, its partners and suppliers—better known as fourth parties—probably are too. However, this might not be the case. The reality is that businesses need to be concerned with this additional layer of business relationships.
In the same way that a breach to your third parties could cause a breach to your company, a breach through your fourth-party vendors could pose risk to your company as well. In addition, research has indicated that there is a direct correlation between the security posture of the third party and its fourth parties. For these reasons, it’s important to not only assess and monitor the cyber posture of your third parties, but your fourth parties as well.
5. Relying on a one-time assessment
Some evaluators mistakenly believe that one vendor security assessment will provide the entire picture of a third party’s cyber posture for a significant amount of time. Nothing could be further from the truth.
Cybersecurity is dynamic. Since new technologies are being introduced all the time and hackers are constantly finding new ways to steal data, a one-time assessment effectively becomes outdated as soon as it’s completed. Instead, it’s necessary to use a third party vendor risk management solution that also continuously monitors the attack surface to detect any cyber gaps or changes in cyber posture.
Conclusion
Because of the high stakes involved, vendor cyber risk management is a top priority for organizations. Making sure that these common mistakes are avoided can help protect your company against data breaches and strengthen your overall cyber posture.
Learn more about vendor cyber risk management here.
