How To Build A Third Party Cyber Risk Management Program
By: Jake Olcott, VP of Business Development at BitSight
Modern integrated business processes have dramatically expanded the attack surface of organizations in all industries. Institutions can no longer ignore the risk presented by vendors or other business partners, especially with regulatory bodies pushing for formal risk management of vendors and third parties. Assessing cyber risk adds to this challenge. It is one thing to make sure your organization is ready to deal with evolving threats- it is even more difficult to ensure your third parties are also prepared.
So, how can credit unions start evaluating the cyber risk associated with their vendors? More importantly, how can credit unions make this process efficient and cost-effective?
Using the right tools and techniques, those in charge of security and risk can drastically reduce third party cyber risk even if itâs not their primary responsibility. Below are four tips on how to save time and money in this process:
- Tier Your Third Parties
Some of your third parties have access to sensitive data that could compromise your employees and customer base. However, itâs likely that many others only have access to nonsensitive data. Identify your most important third parties and spend the most time assessing their security programs. Most organizations use a three or four-tier system.
- Adjust Your Contracts
Making sure that the contracts youâve signed with your third party vendors reflects the level of security you expect is a critical step to managing and reducing 3rd party cyber risk.
- Use a Mix of Information to Assess Vendors
There are many ways organizations currently evaluate third party cyber risk. These typically include: standard security assessments and questionnaires, vulnerability scans, penetration tests, on-site visits, and data obtained through continuous monitoring. Taken together, these methods provide a good snapshot of an organizationâs security posture.
- Continuously Monitor Your Critical Vendors
Just as your organization seeks to continuously monitor its own environment for security risks, it is critical to continuously monitor your critical third party vendors. Cyber is a dynamic environment, and security postures can change overnight. Monitoring your vendors and setting up alerts when security incidents arise is a more efficient way to assess and reduce security risk.
Join Jake for his webinar, "How To Build A Third Party Cyber Risk Management Program," on August 24 from 2-3pm ET where he will offer tips, techniques, and tools you can leverage to make it an efficient and cost-effective process for your credit union. Click here to register today.
BitSight Technologies is the NAFCU Services Preferred Partner for Cybersecurity Ratings for Vendor Risk Management and Benchmarking. More educational resources and partner contact information are available at www.nafcu.org/bitsight.Â