Did you know your vendor’s cybersecurity can be rated? Yes, rating a vendor’s cyber preparedness has become the primary due diligence challenge of 2019. In fact, according to our 2019 State of Third Party Risk Management industry survey, third party cybersecurity assessments were identified as one of the next big hurdles for organizations.
We all took notice when Target had an HVAC vendor who created a hole in their cybersecurity fabric. Today, Instagram, via an unprotected Amazon Web Services server, lost over 49 million records of people from all walks of life. Facebook’s messaging app, WhatsApp, revealed a vulnerability had allowed bad actors to install spyware on cell phones to exploit calls, texts and data. Those are just the events that have been made public. Every single day a vendor that has allowed a bad actor to take advantage of their client’s infrastructure for nefarious purposes is discovered.
Today, we are on the brink of exponentially worsening the situation and risking our cybersecurity defenses by the wholesale adoption of big data analytics, or data science as it's referred to today. Big data and data science are here to stay. I would argue that we're not ready for this level of data sharing and information exchange with vendors.
This means cybersecurity, and cybersecurity ratings, for your vendors are more important than ever for your protection.
Understanding Data Science
We went through a phase, not so long ago, where the term “big data” was being thrown around in haphazard combinations with terms like data streams, data rivers, data lakes and data oceans. Now we have data science.
Data science requires a massive amount of computing resources. It also requires a very high level of mathematical ability and an understanding of databases and data structures. As you might guess, it’s hard to find data scientists. Consequently, we are seeing a rapidly increasing amount of outsourcing in the data science arena. The scary part of the story begins when the data analytics you’ve contracted for can’t be produced by one vendor.
Third parties are using vendors of their own, and those vendors are using vendors, and so on, to process big data. The seamy underbelly of the data science world has a mad scientist creating a frankenbuild of computing resources and using vendors to get to the answers the data owner is seeking.
As part of cybersecurity, you need to understand these concepts.
Cybersecurity Ratings Matter for Every Critical/High-Risk Vendor
Your initial due diligence/vendor vetting must include a section on cybersecurity. Just like performing a risk assessment on a vendor to achieve a final rating, you must find a vendor’s cybersecurity rating.
Here are five reasons why knowing your third party’s cybersecurity ratings matter:
- To identify potential vulnerabilities with a third party. A vulnerable vendor has security “holes” in their cybersecurity fabric. This includes their systems, and their network communications infrastructure. Any vendor that has access to your infrastructure has the potential to create holes in your organization’s cybersecurity fabric and may make your organization more susceptible to a breach.
- It verifies your vendor is practicing safe cyber hygiene and is performing proper security testing in appropriate time frames.
- You will verify the vendor has a SETA (Security Education, Training and Awareness) program. Is the vendor taking the steps to educate their employees, contractors and vendors on cybersecurity procedures and best practices? This is crucial and a big piece of the puzzle to ensure your data is protected.
- You’ll find out if the vendor’s incident response plan is satisfactory or not and if it’s tested frequently. A cybersecurity incident is any malicious act or suspicious event that compromises, or is an attempt to compromise, the network security perimeter or the physical security perimeter of any critical cyber asset or disrupts, or was an attempt to disrupt, the operation of a critical cyber asset.
- The cybersecurity rating is the evidence you need to determine just how prepared a vendor is should they experience a cybersecurity incident.
How to Find Out Your Vendor’s Cybersecurity Rating
So, do you know your vendor’s cybersecurity rating? Today, there are only two ways to get a cybersecurity rating. You can either take a do it yourself (DIY) route or you can outsource to a third party. Here’s how those work.
DIY Vendor Cybersecurity Ratings
DIY is a long and drawn out process that often ends in failure and frustration. Here’s what you’ll often do:
- Taking the risk assessment route. Not a bad option, but not truly a cybersecurity rating. This option will require you to setup a questionnaire that you will have your vendor and their vendors (your fourth parties) and your fourth parties’ vendors (your fifth parties) and your fifth parties’ vendors…ok you get the picture… fill out and return to you. When you get the questionnaires back, you’re going to be acting on faith that what is represented in the questionnaire is accurate.
Remember, if you choose to go this route, these considerations need be kept in the back of your mind:
- It takes someone with excellent technical skills and an in-depth understanding of cybersecurity, domain name servers (DNS), transition control protocol/internet protocol (TCP/IP), routing protocols, firewall rules, vulnerabilities and patching protocols to really understand the security posture of an organization.
- The process produces an extraordinary amount of data.
- The knowledge it takes to accurately analyze an organization’s security posture isn’t trivial.
Third Party Cybersecurity Ratings
The second option is to hire someone to supply the ratings to you, also known as outsourcing the service. There are some benefits to this:
- It’s much easier, faster and tends to be more accurate.
- Interestingly, it is cheaper than doing it yourself.
You can find companies, like Security Scorecard (I admit, a shameless plug for a product we partner with through our Ongoing Cybersecurity Monitoring service), that can supply you with real-time access to any company you choose to generate periodic reports on the security of companies you are monitoring.
A vulnerable vendor is a weakness in the walls of your organization’s cyber castle. Determining a vendor’s cybersecurity rating helps you govern any course of action you may need to take to further protect your organization from a cybersecurity risk.
Better handle a data breach if/when it happens with these best practices. Download the infographic.