A Practitioner’s Guide to Monitoring Third-Party Cyber Risks
$7.5 million. That’s the average price companies pay when their organizations face a data breach caused by a third-party vendor. And that’s just the financial loss. In addition to money, these organizations may experience damage to their reputations, face compliance issues, and lose the trust of their customers.
We know what you’re thinking: That would never happen to my business.
But the truth is, you’re more likely to experience a cybersecurity breach from a third-party vendor than anything else. In fact, 53% of organizations that experienced a breach this year said it was caused by a third party.
Yes, working with third-party vendors is critical to your business’s success. But having a relaxed approach to vendor management isn’t worth the risk. It’s critical your organization establish a thorough vetting and monitoring process for the third parties, suppliers, and fourth parties you’re currently working with, and choose to work with in the future.
If your organization already has a hefty list of third parties across all departments, how do you even start? We’ve broken down this process in this post. Think of it as the practitioner’s guide to monitoring third party risk.
Setting-up Ongoing Monitoring of Your Third Parties
80% of businesses say they would terminate or decline a business relationship due to a vendor’s cybersecurity performance. Maybe you fall within this statistic. If so, great! You’re convinced it’s time to implement an ongoing monitoring program for your third-party vendors. But where do you start?
Here are a few ways your organization can begin implementing an ongoing risk management program:
1. Build a plan with your end goals in mind: There’s no “one-size-fits-all” approach to monitoring third parties. When you begin to think about the ongoing monitoring for your organization, it’s important to craft the plan around your desired outcomes. To do this, you must take into account your risk appetite, potential exposure, budget constraints, system constraints and other resource considerations.
To help you brainstorm your desired outcomes, ask yourself these 5 questions:
- Who? Which categories of vendors require coverage or more frequent coverage?
- What? Do I need separate processes for managed vendors, unmanaged suppliers, fourth parties, or vendors during the proposal process?
- When? How frequently do I require updated information for each category?
- Where? Into which step of my process will it be best to incorporate this new vendor risk data? Where do I want to remove, enhance, or streamline steps?
- Why? Do my defined metrics capture and assess the reasons behind this change?
2. Test your online risk assessment process: Next, run a pilot of your new online risk assessment process. This pilot should run through a 90-180 day trial. Start with a set of vendors already scheduled for their annual assessments. During the pilot, build out your processes for the goals you established earlier.
Only 1 in 10 organizations have a role specifically dedicated to vendor, third-party, or supplier risk. So the first task is to obtain the executive support needed to build a team for managing third-party vendors. This team should include security, sourcing, and third-party risk personnel. This team will be responsible for aligning company objectives and metrics to help evangelize the new continuous monitoring program throughout the entire organization.
Establish Metrics: Next, establish the key metrics for your pilot program. These metrics should include an impact on risk data quality and analyst productivity, remediation effectiveness, and third-party feedback.
Pick a Monitoring Provider: Next, you’ll want to look into streamlining this process by partnering with a third-party risk management provider that can provide continuous monitoring to all of your third parties.
Apply Your Findings: Next, you’ll want to train your analysts about the new continuous risk scoring methodology. This means documenting how to build this data into your vendor engagement model. Ask your analysts what’s working and what isn’t. This initial phase is crucial for capturing feedback.
Plan Ahead: As you test your initial third parties, also be sure to plan ahead. Gather an additional list of vendors from your security team. Have your third-party risk management solution build a portfolio and vendor-level risk assessment to prioritize which vendors to engage in the next phase of your ongoing monitoring program.
After taking these steps, you’ll have developed a reasonably good understanding of how to incorporate your new continuous risk assessment solutions into your process, and have a holistic view of your vendor risk.
The next step? Launching your ongoing risk management process.
Roll Out Your Ongoing Risk Management Process
Now that you’ve tested your process and put all the pieces in motion, it’s time to scale.
You’ll want to take what you learned from your pilot program to mature your risk-adjusted vendor management model and begin including suppliers and fourth parties that aren’t actively being managed.
Scale Your Ongoing Risk Management:
Now it’s time to roll out the continuous risk assessment process and monitoring solution to your remaining vendors. Similar to your pilot, engage these vendors as their annual assessments occur. Make sure to establish thresholds in your monitoring program that alert you if a vendor deviates materially in between assessment pe
Apply Your Findings in RFPs
You now have a rapid and actionable way to assess vendors during the proposal process, so begin leveraging your third-party data reports into your RFPs. This will help you identify potential risks well in advance.
Ongoing Third-Party Risk Management Requires Continuous Improvement
As time goes on, your organization will collect historical data about all managed vendors. This, with the help of your assessment providers, will also accumulate risk assessments for your unmanaged vendors, suppliers, and fourth parties. This necessary information will put you in a position to prioritize the inherent risk and quality of each vendor’s security practices.
As you think about your third-party risk management provider, consider Vendorpedia.
The Vendorpedia™ Cyber Risk Exchange and Third-Party Risk Management Software offers intelligence and automation to solve these challenges and provide value throughout the vendor relationship, from faster onboarding, real-time monitoring, and unprecedented vendor visibility.