sources for the data points.
Recent reports of data breaches that were either caused by an attack at a third party or sensitive information stored at a third-party location being exposed have made it abundantly clear that third-party data breaches don’t discriminate by industry. With more organizations sharing data with an average of 730 third-party vendors, according to a report by Osano, and with the acceleration of digital transformation, that number will only grow.
Unfortunately, while most security teams agree that supply chain visibility is a priority, the same report notes that only 41% of organizations have visibility into their most critical vendors and only 23% have visibility into their entire third-party ecosystem. This is due to the same barriers we consistently hear – lack of time, lack of money and resources, and the need to work with the vendor. Automation can be used to solve many of these issues.
Automation empowers organizations to do more with less. From a security perspective, automation can save more than 80% over the cost of manual security, according to a cybersecurity survey of IT executives. It can also improve an organization’s cybersecurity posture, as 42% of companies cited security automation as a major factor in their success.
With regards to Third Party Risk Management (TPRM), automation can transform the process by using Continuous Threat Exposure Management (CTEM). This includes automated asset discovery, external infrastructure/network assessments, web application security assessment, threat intelligence informed analysis, dark web findings, and more accurate security ratings. It is a more comprehensive analysis of third parties than just sending questionnaires, which can take between 8-40 hours per vendor – provided that the vendor responds quickly and accurately.
Organizations that manage many questionnaires, or vendors that respond to many questionnaires, should consider using a questionnaire exchange. It is a hosted repository of completed standard or custom questionnaires that can be shared with other interested parties upon approval. By combining threat exposure assessments with questionnaires, organizations can reduce the time to assess and onboard new vendors by 33%.
Security ratings alone are not enough. Organizations must use questionnaires and threat exposure management, which incorporates accurate security ratings from the direct assessments, combined with validated questionnaires. This gives organizations a real \”trust but verify\” approach toward third-party reviews, and organizations can be notified when third parties become non-compliant with specific technical controls.
In conclusion, organizations should look to add automation to their processes for third-party cyber risk management. Automation provides benefits such as cost savings, improved cybersecurity posture, and more accurate security ratings. It also allows organizations to be notified when third parties become non-compliant with specific technical controls. By leveraging automation, organizations can maximize the efficiency of their cyber risk management program while still achieving progress.
Key Points
• Third-party data breaches don’t discriminate by industry.
• More than 50% of security incidents in the past two years have stemmed from a third-party with access privileges.
• Automation empowers organizations to do more with less, including cost savings, improved cybersecurity posture, and more accurate security ratings.
• Continuous Threat Exposure Management (CTEM) is a more comprehensive analysis of third parties than just sending questionnaires.
• Combining threat exposure assessments with questionnaires can reduce the time to assess and onboard new vendors by 33%.
• Organizations should use questionnaires, threat exposure management, and automation to maximize the efficiency of their cyber risk management program.
Sources
• CyberRisk Alliance Report. (2020). The State of Third-Party Risk Management. Retrieved from https://cyberriskalliance.org/media/2020/09/CRA_2020_State_of_3rd_Party_Risk_Management.pdf
• Osano. (2020). The State of Third-Party Risk Management in 2020. Retrieved from https://osano.com/resources/wp-state-of-3rd-party-risk-management-2020
• Graphus. (2020). The Benefits of Security Automation. Retrieved from https://graphus.com/the-benefits-of-security-automation/