Organisations are increasingly asking themselves which third party suppliers are critical to their business environment, and of those, which provide mission-critical services and have access to any level of personal, customer or sensitive data. It’s a positive step to understand the threat landscape of the supply chain but organisations often miss one of the most vital parts – ongoing monitoring of security standards and processes.

Point-in-time Third-Party Risk Management (TPRM) Due Diligence assessments are a robust method to understand the supplier risk being taken on as the contract starts.  As these risks adapt and boundaries move however, they will require continuous monitoring.  Environmental, situational and organisational changes can all impact the levels of information security in place to safeguard your sensitive date. Contracts change and the supplier who provided a limited service when they were on-boarded now provide a more pivotal service and the impact levels increase without the requirement for more in-depth assurances.  A large portion of information security incidents and data privacy breaches have been recently caused by gaps in the data security processes of suppliers and third parties – and this is the compelling case for continuous monitoring.

 

Continuous security monitoring helps expose the full threat landscape

 

In 2018, Gartner predicted “By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of business relationships.” They were right! The supply chain needs to be monitored.

We advise our clients to conduct regular data security audits and periodically check suppliers have up to date certifications like Cyber Essentials Plus and ISO 27001, and to request proof from suppliers and partners of their information assurance practices.  It’s vital to make sure the certificates are from a recognised accreditation body, and not from a service provider who is offering certification and consultancy services at the same time – a clear conflict of interests. Any certifications lasting more than 3 years is a warning sign and should be investigated.

Another consideration, for those with the resources, is to continuously monitor the deep and dark parts of the web for breached data, credentials and mentions of the supplier in attack planning scenarios. Using this approach exposes the full threat landscape and therefore CISO’s can be much better prepared to mitigate an attack before it happens.

Cyber Security Ratings are also an important part of any Third Party Risk Management lifecycle, as they help to improve the cyber health of the data management process by recognising, monitoring, and managing information security risk on a continuous basis.

Cyber Security ratings for individual organisations can be developed using Open Source Intelligence (OSInt) and threat intelligence, resulting in one of the most consistent, accountable, and transparent methods of monitoring and mitigating third-party/supplier risk.

 

The benefits of continuous monitoring

 

The benefits of ongoing and regular monitoring of your supply chain information security are clear. It allows organisations to detect real-time information security, privacy and compliance risks and assess ongoing information system and common control levels. Consistent and comparable cyber security ratings help Senior Management to easily understand risk exposure and supports incorporating constructive transparency and accountability for risk management operations and controls into the wider business.

It’s time to transform the way we think about cyber security by embracing a strategic risk management approach, the use of cyber security ratings and using this information to elevate the issue to a strategic priority for the enterprise.

 

How can we help?

Find out how we can help you ensure your suppliers are cyber-secure. Book a consultation today.