In recent years, we have seen an influx of ransomware attacks on prominent businesses, large-scale government breaches, and critical infrastructure hacks. While globalization has brought unprecedented economic gains, it has complicated most organizations' business resilience and risk management.
According to our latest TPRM study, 61% of companies reported a third-party data breach or cyber incident in the last year. Today, a single cyberattack can halt critical services. For instance, UnitedHealth Group, the largest health insurer in the United States, was breached via a ransomware attack targeting its health-tech subsidiary Change Healthcare, continuing to disrupt hospitals and pharmacies nationwide. The cyberattack halted pharmacy operations and caused widespread outages and issues with processing insurance and patient billing.
A practical cyber risk monitoring program can help identify security exposures in your supply chain and business operations, ensure regulatory compliance, and reduce the risk of severe disruptions from third-party vendors.
Cyber risk monitoring is the practice of regularly evaluating third-party vendors to ensure that their cybersecurity policies align with best practices and don't pose an unacceptable risk to your organization. It is part of a broader third-party monitoring program.
Organizations monitor their vendors based on various criteria, including financial health, ESG risks, and contract performance. Monitoring vendors for cybersecurity risk typically consists of several constituent elements to include:
Data Breach Monitoring
Exposed Credentials Monitoring
Compliance Monitoring
Routine Vendor Risk Assessment Questionnaires
Many organizations assume they can effectively mitigate cyber risk by building a robust internal information security program. However, in recent years, malicious actors have increasingly targeted third-party contractors and vendors with access to critical systems and sensitive data at other, larger organizations. Attackers can bypass otherwise complex and well-funded security programs by hijacking a vendor's access to their customers and business partners.
Third-party data breaches are becoming an increasing problem for organizations of all sizes. A cybersecurity incident at a third—or fourth-party supplier can jeopardize proprietary information, customer data, employee data, and more. Continuous monitoring can alert you to exposed vendor credentials or cybersecurity lapses that could lead to a data breach.
Companies are under an increasing array of cybersecurity and data protection compliance requirements. Compliance requirements often have strict provisions relating to data sharing with third parties and information security requirements. Sharing sensitive, regulated information with an insecure vendor can result in fines, penalties, and potentially legal consequences for both your organization and the vendor.
For example, under HIPAA, vendors dealing with PHI are classified as business associates. This requires them to employ the same procedures and cybersecurity safeguards as the prime organization. If a HIPAA business associate fails to meet compliance requirements, the healthcare organization and third-party vendor can be held liable with steep fines.
Here are some additional regulations and standards that have specific requirements for monitoring third-party cyber risk:
Not all vendors require access to sensitive or regulated information. However, it can still be helpful to understand their security posture if they have access to information systems or work on-premises. Vendors' cybersecurity profiles often change as their organizations adopt new standards, change software, purchase other companies, and expand. Conducting ongoing monitoring throughout the relationship's lifecycle can help prevent surprises that the initial vendor risk questionnaire wouldn't capture.
For example, Target was the victim of a data breach in 2013 that exposed PII (Personally Identifiable Information) to tens of millions of its customers. The breach originated from an HVAC vendor, not a company that would typically receive detailed vetting. Understanding a vendor's cybersecurity posture and continuously monitoring for breaches can help your organization decide which systems and information to get access to and formulate controls to reduce the risk of a breach.
How Can You Stay Ahead of Vendor Cyber Risks?
Download this 11-page strategy guide to discover how to structure your third-party risk management (TPRM) program to efficiently identify and address cybersecurity risks across your vendor ecosystem.
We've established the importance of monitoring your third-, fourth- and Nth-party vendors for cyber risk. But how do you conceptualize effectively monitoring vendors for cyber risk in our increasingly interconnected and complex world? Here are the steps you need to take to build a robust cyber risk monitoring system that can alert you to issues before you fail a compliance audit or experience a data breach.
Every vendor you work with poses a certain level of risk to your organization. You must define the risks you are comfortable with and ensure vendors receive security ratings that accurately reflect the risk they pose to your operations and sensitive data. In many cases, you may need to require vendors to reduce their level of risk until their residual risk is acceptable.
Vendor Risk Questionnaires are critical for third-party onboarding vendors. Particularly when vendors can access sensitive data or your organization operates under numerous compliance requirements. Vendor Risk Questionnaires may cover financial health, operational stability, ESG, and other concerns, but cybersecurity is one of the most critical components. Some questions you might consider including:
Does your organization have third-party information security certifications such as SOC2, ISO27001, or CMMC?
Does your organization adhere to a specific cybersecurity framework or model?
Does your organization have an in-house cybersecurity team or work with an outside IT Service Provider or Managed Security Services Provider?
Using Third-Party Risk Management Software can enable you to quickly and easily create questionnaires based on a library of dozens of customizable templates. You may consider conducting routine vendor assessment questionnaires for vendors with particularly high-risk profiles or dealing with large amounts of your organization's sensitive data.
Before onboarding a new vendor, gather information about data breaches they have experienced, including details about affected systems and records – plus remediations and mitigations. Then, continuously monitor for news and evidence of new data breaches. For instance, dark web scanning quickly becomes critical to third-party risk management. In many cases, organizations will have exposed emails and passwords for sale on the dark web that they are unaware of, which could easily lead to a data breach or security incident. Fortunately, specific scanning for exposed credentials is easy and can provide valuable insight into whether the organization has already experienced a data breach or has poor user management practices. Look for solutions that offer dark web scanning and data breach reporting as part of their vendor risk monitoring solution.
Vendors may often require onsite access to IT assets to complete contracted work. However, cybersecurity risk doesn't stop once the vendor leaves the build, and you should ensure that your organization has clear policies to govern the vendor's access to your information technology. It is important to remember that vendor mistakes or data breaches can ultimately become your responsibility, especially with specific compliance requirements.
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
You can reduce your exposure to third-party cybersecurity threats by incorporating these best practices into your program:
Questionnaire-based cybersecurity assessments are typically completed once or twice a year. Complementing periodic assessments with continuous cyber risk monitoring enables you to stay on top of changes in vendor cyber risk posture as new threats emerge. Monitoring a vendor’s cybersecurity performance also allows you to validate their assessment responses against externally observable evidence of data breaches and other incidents. By implementing a robust third-party risk monitoring solution, you can confidently manage the vendor risk management lifecycle and respond to security gaps, compliance issues, and potential data breaches before they impact your business.
The past doesn’t necessarily predict the future but can provide insight into how seriously an organization takes cybersecurity. If an organization has experienced numerous data breaches in the recent past, it may serve as a good indicator that your organization's data could become compromised.
You should employ the least privilege principle for every vendor you work with. Ensure that they are only provided access to critical systems and data required to perform their work. While the vendor conducts their work, confirm that you have adequate monitoring to ensure they aren’t accessing unnecessary systems or data. Finally, ensure you have an effective vendor offboarding program to revoke access upon completion.
Vendors with robust cybersecurity programs who aren’t dealing with sensitive information may require less monitoring than vendors working with customer information or trade secrets. During the vendor onboarding process, be sure to profile, categorize, and tier third parties according to their inherent risk. This will make it easy for you to determine the frequency and scope of risk assessments and the level of monitoring you need to perform for each vendor. As a result, you will use your resources wisely and scale your cyber monitoring activities to the risk the vendor represents.
Building an effective cyber risk monitoring program has never been more critical. Prevalent makes navigating third-party and fourth-party risk manageable throughout your supply chain. Our vendor risk management platform combines continuous cyber risk monitoring with business, financial, and reputation monitoring – coupled with automated vendor risk assessment capabilities for a 360-degree view of vendor risk. Request a demo today to see if Prevalent is a fit for you.
Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
10/17/2024
Third-Party Risk Management (TPRM) has advanced from being an annual checklist exercise to a critical daily...
10/07/2024
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024