Recorded Future - Proactively Reduce Risk With Third-Party Intelligence

Increasingly, companies choose to outsource business functions, meaning the number of third parties they rely on is increasing rapidly. The growing ecosystem of interconnected businesses is becoming essential for maintaining efficiency, but it comes at the cost of increased risk.

According to Forrester, 21% of all breaches are caused by third-parties like external suppliers or vendors — and this risk is only growing. Your third-parties — especially critical ones that have access to your organization’s data or could cause significant business interruptions — should be viewed as a vulnerability that threat actors can and will exploit.

Adding to the trouble, COVID-19 drastically altered the global third-party supply chain, requiring companies across all industries to reassess their third-party risk. Remote IT management vendors, for example, went from reasonably important to mission critical overnight.

All this, in combination with a growing list of regulations, such as GDPR, the California Consumer Protection Act, and NYDFS mean that third-party risk is now a C-level and board-level topic. The pressure is on to make sure your business is staying ahead of third-party risk.

Traditional Third-Party Risk Assessment Processes Can’t Keep Up

There are three traditional methods of assessing third-party risk. A very mature third-party risk management program will use some combination of all three, while an emerging program may only utilize one. Each has their unique benefits, but they have drawbacks, as well. The three methods are:

  1. Questionnaires — By far the most commonly used method to assess third-party risk, questionnaires are inexpensive, comprehensive, and customizable to meet the needs of each specific third-party relationship. Unfortunately, questionnaires are inherently biased and prone to error. Even a perfectly-filled out questionnaire has issues, however, because they only assess a static point in time. In today’s fast-moving business world, changes happen way too quickly for annual questionnaires to capture. Mergers, acquisitions, security policies, corporate infrastructure — all of it is prone to change incredibly quickly. This often makes questionnaires stale upon arrival.
  2. Penetration testing — Penetration tests are active attempts to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. These services are generally expensive, so companies tend to reserve this technique for critical vendors only— if they use it at all. Penetration tests are also point-in-time assessments, though. They give you deep visibility on the vulnerability risk your third parties face, but they offer little insight into other forms of cyber risk.
  3. Onsite audits — Often used for validation, onsite audits allow you to physically ensure that responses in a questionnaire line up with what is happening in reality. These are generally regarded as the strongest traditional method of risk assessment, as they can be wide in scope and are difficult to fake results in. However, onsite audits are another point-in-time assessment, so the results don’t stay current for long. They are also the most expensive form of assessment, making them cost-prohibitive for all but the most critical vendors. Additionally, the COVID-19 pandemic has had a deep impact on this approach. With many businesses limiting entrance into their facilities, or even having all their employees work remotely, you can’t rely on onsite audits to assess and validate security controls the way you once could.

Continually Monitor Third Parties With Security Intelligence

Security intelligence is a most effective and easiest way to assess cyber risk and understand third-party risk exposure. By collecting billions of entities from hundreds of thousands of sources across the open web, dark web, and technical sources, security intelligence makes it possible to dynamically link, categorize, and score third-parties in real-time. It provides insight into cyber risk across a variety of categories including data leakage, incident reports, domain abuse, email security, vulnerable infrastructure, web application security, and dark web attention.

Third-party intelligence is the application of elite security intelligence that gives you continuous visibility on your entire supply chain by automatically alerting you to new cyber risk events. It fills in the visibility gap left by point-in-time assessment techniques — making for a stronger, more proactive risk management process. It dramatically enhances questionnaires, giving you clear indicators on where to review responses more thoroughly, and where you don’t need to waste valuable time.

Use third-party intelligence for a risk-prioritized, quick glance of a company’s cyber risk exposure — or dive deep using the transparent evidence it provides to make remediating issues with third parties a smoother process. Either way, security intelligence grants third party risk teams the confidence and clarity they need to effectively manage third-party cyber risk.

Learn More

See Recorded Future’s Third-Party Intelligence Module in action right now — watch the short, on-demand webinar, “Defend Your Organization With Third-Party Intelligence.”

The post Proactively Reduce Risk With Third-Party Intelligence appeared first on Recorded Future.



from Recorded Future https://www.recordedfuture.com/third-party-intelligence-module-overview/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The docum
Read more

SBS CyberSecurity - In The Wild 166

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 166 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!           Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. CyberRiskNOW Virtual Conference SBS Educational Resources This virtual conference is designed to provide interactive training on evo
Read more