A Google search for “third-party data breach” reveals many recent reports of data breaches caused by third-party attacks or exposure of sensitive information stored at third-party locations. . Third-party data breaches are differentiated by industry, as almost all businesses operate through some vendor relationship, whether it is a business partner, contractor or reseller, use of IT software or platforms, or another service provider. not. According to Osano’s report, organizations currently share data with an average of 730 third-party vendors, and that number is only growing as digital transformation accelerates.
Importance of Third Party Risk Management
As more organizations share data with more third-party vendors, more than 50% of security incidents in the last two years have been attributed to third parties with access, according to a CyberRisk Alliance report. It is not surprising that
Unfortunately, while most security teams agree that supply chain visibility is a priority, the same report found that only 41% of organizations had visibility into their most important vendors, while third-party Only 23% of organizations have visibility across their entire ecosystem.
The reasons for underinvestment in Third Party Risk Management (TPRM) are the same ones we hear all the time. lack of time, lack of money and resources, and the business need to work with vendors. So how can you easily overcome the barriers to managing third-party cyber risk? Automation.
Benefits of automation
Automation allows organizations to do more with less. From a security perspective, here are some of the benefits that automation offers, as highlighted by Graphus:
- In a cybersecurity survey, 76 percent of IT executives said automation maximizes security staff efficiency.
- Security automation can save over 80% of the cost of manual security.
- 42% of companies cite security automation as a key factor in their success in improving their cybersecurity posture.
As for TPRM, automation can transform the program as follows:
Step 1 – Assess Vendors Using Continuous Threat Exposure Management (CTEM)
An ongoing threat exposure assessment includes a comprehensive assessment that incorporates:
- Automatic asset detection
- Evaluation of external infrastructure/network
- Web application security assessment
- Analysis based on threat intelligence
- Discovering the Dark Web
- More Accurate Security Assessment
This is a more comprehensive third-party analysis than just sending out a survey. The manual survey process can take anywhere from 8-40 hours per vendor if the vendor responds quickly and accurately. However, this approach does not allow surveys to confirm vulnerabilities or validate the effectiveness of required controls.
Reduce vendor review time by embedding automated threat exposure assessments and integrating with surveys. We found that this combination reduces the time it takes to evaluate and onboard new vendors by 33%.
Step 2 – Use Survey Exchange
Organizations that manage many surveys, or vendors that answer many surveys, should consider using Survey Exchange. Simply put, a hosted repository of completed standard or custom surveys that can be shared with other stakeholders after approval.
By choosing a platform that performs the above automations, both parties get a validated and automated approach to up-to-date questionnaires that are auto-verified by continuous evaluation. Again, this saves your team time by requesting access to existing surveys or spending time answering new surveys that can be reused on request.
Step 3 – Continually combine threat exposure findings with questionnaire exchanges
A security rating alone will not work. Surveys alone cannot be used to evaluate third parties. Incorporating accurate security ratings from direct assessments, combined with validated surveys (which query ratings and update security ratings), Threat Exposure Management is a powerful solution for ongoing third-party risk management provide. A platform that uses active and passive assessment and does not rely solely on historical OSINT data provides the most accurate attack surface visibility. This is because it is a third party at the time.
This information can be leveraged to automatically validate applicable controls in the security and compliance framework requirements questionnaire and flag discrepancies between client responses and technology assessment results. This gives organizations a true “trust but verify” approach to third-party reviews. We can do this quickly so that we can notify you when the third party no longer complies with certain technical controls.
Organizations seeking to maximize the efficiency of their third-party cyber risk management programs should consider adding automation to their processes. In a more challenging macroeconomic environment, companies can turn to automation to reduce the effort teams perform while achieving progress and results, instead of allowing team members to focus on other initiatives.
Note: This article was written and contributed by former CISO, CISSP, Victor Gamra. He is also the founder and CEO of FortifyData, a leading continuous threat exposure management (CTEM) company. FortifyData enables enterprises to manage cyber risk at the organizational level by incorporating automated attack surface assessment, asset classification, risk-based vulnerability management, security assessment and third-party risk management into an all-in-one cyber risk management platform will do so. For more information, please visit www.fortifydata.com.
