In light of the almost daily news of companies suffering security breaches, the need for assessing the risk profile of third- and fourth-party suppliers has never been more necessary than it is today. A company may have its own computing infrastructure secured, but the rest of its digital supply chain often remains overlooked.
The recent attacks reported by Bloomberg show an increasing severity and sophistication of global supply chain attacks, which in this case affected thirty companies including a major bank and government contractors. The attacks initiated by China demonstrate that the security of the technology supply chain was able to be compromised, even if consumers and most companies were completely unaware of it.
Third- and fourth-party vendors are an essential part of many supply chains, without them, many companies simply would not function. However, these ‘supplier’ relationships can run into the thousands for organisations, and how do you know if they are a risk to the business? In this age of data, not managing these potential threats properly could all too easily lead to the loss of important customer data and trade secrets being compromised.
Therefore, when engaging with the supply chain, companies need to have an objective view on those risks a supplier could potentially pose. Nothing is ever risk-free, so the question becomes one of how an organisation manages risk, do they accept it, transfer it, or mitigate it?
When thinking about data, a company is not only responsible for customer data on their own systems, they are also responsible for that customer information when it goes into the supply chain. Organisations therefore need to map out where data flows and figure out where this overlaps with vendors. They also need to assess the risk that each vendor may present, as an organisation’s data protection policy could be weakened by a vendor with inferior security standards.
Risk management is increasingly of high importance for IT leaders and the boardroom. And it is down to IT leaders to show that vendor risk management should be considered by the business. That said, the process of assessing the risk of an organisation your company is looking to do business with can be difficult and time consuming. It requires active management and monitoring of vendor relationships. This means vendor audits, onsite visits and assessments, and data flow mapping. You need to know and track vendors that have access to sensitive data on your systems. This is qualitative in nature and can take weeks, if not months to complete.
But the issue here is that it can’t be done continuously, or at great scale (as it would be eye-wateringly expensive). Added to this is the question of what happens if the vendor suffers from a WannaCry-like outbreak, what is the real-time response here? The answer lies in a platform that gives IT leaders access to the risk profiles of thousands of companies.
Identifying and quantifying cyber risks
Organisations can begin to quantify and mitigate cyber risks with our BitSight Security Ratings. These ratings enable organisations to manage third- and fourth-party risk, underwrite cyber insurance policies, benchmarking, and much more. Organisations like ratings such as these as they provide an objective understanding of performance risk in IT security as it pertains to partners in the supply chain. As well as this, it surfaces information for companies that are the target of mergers and acquisition activity.
Ratings help in benchmarking activity. Being able to rate organisations means you can benchmark a company against its peer group or against an industry. This is a pretty important capability to have given the tenor of conversation around security at an executive board level, where some of the more important details are not going to be digested. And the board level is increasingly where questions around risk are being asked. Having an easy way to rate companies can help put a company’s level of risk into context and make it very open and transparent for senior executives to understand.
Risk management is a continuous process
Assessing the risk of a third-party is not a one-shot, fire-and-forget operation, it is a continuous process. For example, a platform such as ours can alert organisations to new infections or malware that appears on a third- and fourth-party network. Using publicly accessible external data, analysis can be made at scale to help assess risk and flag problems, in an objective manner. The process means that that time to risk assessment is decreased from weeks down to minutes.
This information has a risk signal that means users can make their own decisions in real time and take appropriate actions. This helps organisations in reviewing their security and risk controls and put in place a realistic cybersecurity plan for vendors and suppliers in their eco-system.
When you know what the risks are, you can mitigate your data security concerns and get on with the day job of running the business.
Ewen O'Brien is the Head of EMEA at cyber risk management firm BitSight