Third Party Cyber Risk Management
by Nick Moss

Services Director

Connect with Nick Moss on Linkedin Connect with Nick Moss on Linkedin

Third Party Cyber Risk Management

I’m glad to see that UK companies of all sizes, and across all verticals, are starting to take Cyber Security more seriously. More organisations are looking at best practice guidance, and frameworks such as Cyber Essentials, ISO27001 or the NCSC CAF.

Areas common to those three standards, are to look into the technical vulnerabilities they might face, and how good vulnerability management and patching is a cornerstone of foundational security. Understanding the importance of human vulnerabilities is also on the rise, how to educate your staff, and help build a strong security culture through awareness and behaviours.

Cyber Risk Ratings

So as people get their own houses in order, they have the bandwidth to start looking outside of their own walls. What are the risks of the people they work with, their supply chain vulnerabilities? Who has access to their data or systems? If they caught a cold, would you sneeze?

With growing regulatory pressures, understanding who are the safe pairs of hands that you work with is becoming more important than ever. This has prompted an increase in supplier/vendor/client due diligence processes, but outside of the largest enterprises, who has the time to manage this, and how do you make it not just a box ticking exercise?

How do you go about even starting? The traditional questionnaire method is manual, time consuming, and you must trust the answers given. To validate a third party’s security, you could look at undertaking a pen test or similar, but to do these at scale would require firstly the permission of the third party, as well as a substantial budget and a huge amount of time. Even then, the assessment is a “point in time” and is out of date as soon as it’s completed.

So how do you achieve something which is practical, validated, continuous and scalable?

This is where Cyber Risk Ratings (CSR) come in. These platforms can offer real-time, ratified views of a wide range of security insights, about millions of global organisations. CSR platforms help monitor risk, but used in isolation they are missing context, and this is needed to round out the view.

Tailored, web-based questionnaires can add the context, they can probe areas outside of the scope of CSR – internal controls, certificates held, or when a supplier last had a pen test. Integrating the questionnaire with the CSR platform helps validate the scores further, and can give confidence that the answers given in other areas are genuine.

Whilst CSR + questionnaire gets us from monitoring of third party cyber risk to management, the target destination should be mitigation. This is where utilising a Cyber Risk Management Framework to define risk appetite and tolerances, establish lines of communication between yourselves and your supply chain will ultimately help address this issue going forward.

Contact Us

Contact Us

As we know that time is precious, Saepio now offer this as a service so we can take care of this on your behalf. If you’d like to learn more about how this works, or would like to understand your own CSR score to see how the outside world sees you, please get in touch with your account manager or contact Saepio on +44 (0)1494 216 061 or contact@saepio.co.uk.