Assessing third-party vendor risk: Top 6 challenges

Third-party cyber threats are impacting major business decisions, according to a BitSight and CeFPro report. Here are some of the biggest challenges.

Why CISOs are consolidating their vendors and improving cloud security

Managing third-party cyber risk is crucial to a functional business, according to a BitSight and Center for Financial Professionals (CeFPro) report released on Tuesday. However, a lack of consistent monitoring and reporting is presenting major challenges for organizations, leaving them vulnerable to data breaches, the report found.

The report surveyed 126 financial services professionals from various industry sectors across the world. The financial industry, in particular, works with thousands of vendors including legal organizations, accounting and human resources firms, management consulting and outsourcing firms, and IT and software providers, the report said. All of these vendors act as potential avenues for cyberattackers.

SEE: Vendor management: How to build effective relationships (free PDF) (TechRepublic)

"Although there has been a significant increase in effectiveness, attention, and resources focused toward third-party cyber risk over the last few years, there is still much to be done," Andreas Simou, managing director at CeFPro, said in a press release. "Utilizing more effective tools and techniques to overcome the ever-increasing challenges being faced within the industry, with third- (and fourth-) party cyber risk as just one key area to be addressed."

The report outlined the following six biggest challenges companies face in assessing third-party vendor risks:

  1. Data accuracy and quality
  2. Actionability of data
  3. Lack of continuous monitoring
  4. Speed of the risk assessment process
  5. Cost of on-sight assessments
  6. Unclear responsibility within an organization

While these challenges are significant, companies must still take steps to protect themselves. Organizations should begin by making a full list of third parties and standardize a risk assessment process, the report said. Companies must also continuously monitor third-party partners, using security ratings to access real-time visibility into vulnerabilities. The report also recommended establishing consistent board reporting and creating a fourth-party risk program to oversee the business ecosystem.

For more tips on how to achieve better security practices with third-party vendors, check out this TechRepublic article.

Also see

Image: iStockphoto/scyther5