BLOG: Continuous Risk Monitoring

Continuous risk monitoring is a valuable tool for organisations seeking to improve their cyber third-party risk management programs. Having an ongoing view of the biggest vulnerabilities that vendors expose to the internet can help businesses consistently and regularly uphold the answers they’ve historically taken on faith from annual security questionnaires. Businesses can begin to establish dedicated governance practices based on observational, regular evidence and understanding of risk.

It was conventional practice for security teams have tried to understand the ongoing risk posed by their vendors by using annual assessments. However, this method poses several challenges to security teams. Modern business no longer allows for this kind of slow-and-steady risk management workflow. The growth of threat intelligence, artificial intelligence and organisations has made it possible to assess and respond to risk faster than ever before and allow businesses to pinpoint and mitigate risks throughout their ecosystem. This is vital to the security of your organisation and requires an effective third-party cyber risk management program.

Third-party risk management can be a demanding task, with business owners demanding vendors be onboarded ever faster, to the ever-present threat of a data breach, there is a lot to worry about. One of the biggest worries in today’s security environment is the constantly evolving threat of a breach especially with vendors.

The third-party risk will not go away as long as the business relationship remains unscathed, there are several reasons to implement continuous monitoring of third-party cyber risk, including the expansion or decrease of services, material change to a provider’s location or facilities, etc. Re-reviewing the risk associated with the third party or continual monitoring of third-party relationships, controls and activities are vital for meeting regulatory and compliance requirements, for the health of the relationship and the safekeeping of customer information.

Traditional assessments only capture a single point in time, in between assessments there can potentially be major security incidents or changes to security posture may have happened without your knowledge. Assessments can be extremely time-consuming. Many organisations and institutions work alongside a vast variety of vendors, it can take extensive time to create assessments and resources that must be handed over. Assessments can take a great deal of time and resources to both put together, fill out, and review and analyse once they are returned. Assessments are still one of the most powerful tools for gaining in-depth insight into a vendor’s security posture.

These issues can have a significant impact on both the business and your security program. Delays in assessments may cause contract renewals to be postponed, which can hinder critical business operations, the time and cost associated with assessments can be a drain on resources, and the inherent limitations of assessments can raise the risk posed by vendors.

Continuous cybersecurity monitoring of vendors assists businesses to run more efficiently by increasing the scalability of the ability to do assessments, and the lower the time and cost to execute them. Having essential data insights and statistics into the activity and security posture of vendors, means that businesses can take a much more targeted approach to assessments.

Enabling a proactive approach within continuous monitoring gives a near real-time insight into your vendors. By looking at movement against risk thresholds you can trigger the need for assessment based on changes to security posture instead of a calendar date. This ensures that assessment is triggered by the need to conduct one and prevents potentially unacceptable risk from being introduced into the third-party ecosystem simply because it is not time for reassessment yet. 

Personalised assessments are extremely important, using the same assessments for all vendors can be a drain on resources and increases the time and cost of getting an assessment done. Using data that ranges from ratings and risk vectors, assessments can be tailored to the vendor as well as to address certain focus areas if there has been a significant drop in score or change to risk vectors. This can save considerable time and resources.

Some vendors must be continually reassessed and monitored, continuous monitoring can help set reassessment policies that can significantly save time and money. Some key vendors may need to be assessed more than once a year if they have a notable change to their security stance, even if their last assessment was just a few months ago, some may not need to be reassessed at all or can wait a few years. This can remarkably reduce the risk to the organisation.

Given the current climate, new cybersecurity threats are presenting themselves almost every day. Third-party interactions through businesses are also increasing, meaning that businesses are working with more vendors than ever not only to address the changes to business climate 2020 presented but also to become more nimble, adaptable, and profitable as digital transformation takes hold. 

The first step is for organisations to determine their material suppliers and understand their current processes. From here, a solution like Orpheus’ can help organisations understand the risk an organisation poses with no interaction from the supplier, massively reducing onboarding time and giving a more accurate assessment of risk. Continuous monitoring is likely to be seen as best practice by any relevant regulatory bodies, helping the organisation in the event of any breach.