Why Vendor Security Assessments Alone Are Not Enough
Your vendor risk management program is only as good as the security questions you ask and how truthfully your vendors answer. While most vendor security questionnaires are quite lengthy and dig into nearly every internal and external security practice a vendor has in place, the data you receive is simply a snapshot of a moment in time.
A cybersecurity threat that arises tomorrow and changes the vendor’s security practice (or worse, doesn’t change it at all) won’t be documented in the questionnaire response. If you assess your vendors annually, this lengthy cadence opens your organization to vulnerabilities and risks that should be remediated immediately; however, you won’t learn of them until your next scheduled vendor assessment.
On the flip side, the security questionnaire is a double-edged sword for most vendors. Members of a vendor’s infosec team are pulled from protecting their own business to complete the questionnaire. Without an automated system, this can be quite a lengthy process, resulting in a lapse of monitoring that could introduce vulnerabilities.
As hackers have become more sophisticated and their operations more devious, vendor security questionnaires are now just one piece of the vendor risk management puzzle. To thoroughly assess a vendor, Enterprises need to expand their assessment process to one that continually analyzes, monitors and flags a vendor’s vulnerabilities.
Trust but Verify
For a vendor risk management program to hold any validity, Enterprises must trust that the vendor’s answers to the security questionnaire are an accurate and honest representation of their IT and security practices. However, two potential pitfalls can occur with this level of trust. First, manually verifying the information provided can add another tedious layer to the already cumbersome process; and second, as previously mentioned, this only documents a moment in time and might not catch the following ongoing security issues:
- Dangerous Services: Databases or management interfaces exposed to the Internet
- Vulnerable Services: Outdated or known vulnerable software running
- Reputation: Internet-facing assets that have been flagged for a phishing scam or an attempt to attack a honeypot
- SSL Security: Outdated or invalid SSL certificates resulting in unsafe connections
- DNS Hygiene: DNS configuration not maintained or regularly updated with basic protection settings
- Technology Fingerprint: Outdated or unpatched technology fingerprint of Internet-facing assets
Continuously Monitor with ProcessBolt’s VendorVision
Continuous threat monitoring is mandatory for today’s Enterprise. ProcessBolt’s ThreatScape is an automated risk evaluation and alerting system that automatically and continuously monitors the Internet-facing assets of your vendors against aggregated threats. Websites, applications, and other Internet-facing assets, all of which are vulnerable to cybersecurity attacks, are loaded into your dashboard and monitored on a continuous basis. When a threat is identified that may affect a vendor’s risk assessment rating and remediation recommendations, VendorVision notifies the Enterprise’s stakeholders immediately.
VendorVision can also be used by vendors and Enterprise organizations to actively monitor their own Internet-facing assets against potential threats. Vendors can quickly identify dangerous and vulnerable services and eradicate maintenance and patching issues related to their own Internet-facing assets. By proactively monitoring and remediating cybersecurity threats as they occur, vendors can ensure successful and accurate security assessments and improve client relationships.
See it in Action
Sign up for a 15-minute demo of ThreatScape and see how easy it is to identify vulnerabilities in your own organization.