Assessing Third-Party Cyber Vulnerabilities

Businesses can no longer only worry about their own security infrastructure and protocols as it pertains to cyber exposure.  As the technology becomes more and more connected, so do organizations across distribution channels.  It’s imperative that companies start looking outside of their proverbial walls and begin to understand the security posture of their vendors and partners, as these organizations present another emerging exposure in the security and privacy landscape.

A recent white paper The Buck Stops Where? Assessing the Cybersecurity Performance of the Finance Supply Chain by BitSight Technologies indicated that an increasing number of cyber threats originate with vulnerabilities of a key vendor or business partner.  As a result, vendor risk management is becoming a universal, board-level initiative with a heightened focus on demonstrating reduced exposures as a direct result of vendors, suppliers, business partners and stakeholders.

The white paper, which looked at the security performance of 5,000+ vendors representing the supply chain of the Finance industry, identified common risks that can help organizations of all industries manage third-party cyber risk.  Key findings from the report included:

  1. A significant security performance gap exists between firms and the companies in their supply chain.
  2. Companies in the supply chain with a Desktop Software Grade of “B” or lower were more than twice as likely to have a machine compromise.  
  3. One in five business service organizations has at least one instance of Windows XP on their network, increasing the likelihood of a publicly disclosed breach.
  4. Nearly one in four Technology and Business Service firms is running unsupported vulnerable Windows IIS on servers.
  5. Peer-to-peer file share occurs in over 20 percent of Technology and Business Services firms.

In addition to the key findings identified, BitSight Technologies offers a number of business recommendations that can be implemented to help protect against third-party cyber risks. These recommendations include:

  1. Understand endpoint security of critical vendors
  2. Scrutinize server security.
  3. Look out for  peer-to-peer file sharing
  4. Set a high bar for your vendors, suppliers and business associates.

You can access the full white paper here. If you have any questions about the concepts presented in the white paper or would like to discuss your organization’s native or third-party cyber exposures, please contact me directly at cmartin@rcmd.com or at 804.237.5923