Should I Talk to My Vendors About Their Cyber Posture?
Written by: Black Kite
You log into your third-party risk platform or questionnaire database and see that one of your biggest vendors has dropped to a C rating. Talking to that vendor might seem like the best move, as the level of third-party breach impact and destruction almost doubled in 2022, and you want to ensure your data remains safe.
But the truth is, talking to your vendors about their cyber security posture should be your last resort — as these conversations can often cause confusion, frustration, and even vendor churn.
Instead, there are several factors to consider first in determining the best course of action when your vendor’s cyber posture changes before you confront a vendor directly.
What should I do if my vendor has a C, D, or F rating?
Letter grades are a standard method for representing a third-party vendor’s cyber hygiene. But it’s crucial to note that letter grades are qualitative, so they don’t tell the whole story of vendor risk.
For example, if you have a vendor with an F, that’s probably a good indicator that their cyber hygiene is not where it should be. But when you get into the A, B, C, and D range, it becomes more difficult to determine if they are safe based on letter grades alone.
For example: An A rating can be misleading, as that grade could result from the vendor’s small digital footprint. And depending on your relationship with the vendor, further assessment may be required to ensure the A rating accurately represents their cyber hygiene.
However, vendor risk is challenging to determine from just a letter grade because cyber hygiene is just a single component of an accurate risk assessment. To get the full story on your third-party vendor’s cyber posture, you must uncover the potential financial risk of using that vendor with additional third-party vendor risk monitoring tools and methods.
Why talking to your vendors is a last resort
Talking to your third-party vendors about their cyber posture without a way to fund and execute an improvement project can cause confusion, frustration, and eventually churn. It can be challenging to fully communicate why and how a vendor should improve their risk level when dealing with qualitative information such as letter grades.
If you give one of your vendors a list of vulnerabilities to fix, their first response is always to ask why these vulnerabilities pose a high risk. Basically, you’re trying to get vendors to fix vulnerabilities without understanding which ones are the most pressing. And who has the time to sit down, explain, and learn what these vulnerabilities mean and how to fix them?
Additionally, there’s not much a vendor can do with a broad list of vulnerabilities if they don’t have the people or budget required to fix them. And if you ask them to fix their vulnerabilities and they don’t, what do you do? If that vendor provides an essential service for your company, cutting ties could disrupt operations across the entire organization.
Without a clear understanding of which vulnerabilities are the most important to fix and how to fix them, vendors could feel like your company has unrealistic expectations of their bandwidth and expertise. These unrealistic expectations will cause a strain on the relationship, potentially leading to churn.
What to do before talking to vendors
Communicating with vendors about their cyber posture without ruffling some feathers is one of the hardest parts of third-party cyber risk management. Here are some steps to take before heading down the conversation route.
Reduce risk internally
Before contacting a vendor, try to deal with the world you can control. First: Identify the vendor’s probable financial impact on your company should a breach occur.
Second: Determine the vendor’s factors that can increase or reduce the risk exposure you can fix internally to keep your company and customer data secure.
You can identify which factors to improve internally by asking the business unit that leverages said vendor some questions, including (but not limited to):
- How much data do we share with the vendor?
- Do we really need to share all that data?
- Which of our networks does the vendor have access to?
- Can we put in controls like encryption to reduce our risk of exposure?
If you ask these questions, reduce the amount of data you share with the vendor, put additional controls in place, and make all the adjustments you can, and the vendor’s probable financial impact is still above your risk appetite, then it’s time to engage the vendor.
How to engage with vendors if you have to
To properly engage a vendor in a conversation about their cyber posture and how to improve it, you can’t just show up with a long list of vulnerabilities for them to fix. Be specific about which vulnerabilities should be prioritized and build a plan with the vendor to fix these issues in a timely manner.
The most effective way to find the vulnerabilities that pose the most probable financial risk to your organization is to:
- Adopt a tool that determines how the vendor can reach a satisfactory risk level with the least amount of work possible.
- Bring the vendor a prioritized list of vulnerabilities to address.
- Illustrate the potential financial impact of the vulnerabilities on your organization.
- Work together to build a plan with specific deadlines and milestones.
- Use a collaborative, not accusatory, approach.
Ensure third-party vendor cyber success with Black Kite
Nowadays, every company has more vendors than it can handle and keep track of. Knowing which ones you should assess first and which need immediate improvement can be difficult.
Using a third-party risk intelligence platform like Black Kite that includes cyber risk quantification (CRQ) and a Ransomware Susceptibility Index® (RSI™) can support you in efficiently and effectively assessing your third-party vendor’s cyber posture.
Cyber risk quantification
When you know which vendors pose the most risk, you can focus on making every internal adjustment possible to improve their risk level. With CRQ, you can avoid engaging your third-party vendors in conversation by identifying the vendors that pose the most risk to your business.
With help from the open FAIR model, Black Kite’s CRQ solution illustrates vendor risk by calculating the probable financial impact of a third-party cyber breach on your organization in quantitative, easy-to-understand business terms.
Ransomware susceptibility index
Black Kite’s RSI™ can measure your organization’s third-party vendor risk from a threat actor’s point of view.
Black Kite’s RSI™ examines the tools, tactics, and procedures (TTPs) of bad actors producing and executing ransomware attacks. When you look at the TTPs, there is often a clear pattern of how bad actors succeed. Black Kite feeds your third-party vendor data into the RSI™ to identify any bad actors looking at your vendors as potential targets. For example: If a vendor’s RSI™ is high, then you know there is a clear and present danger and you should review the vendor immediately.
If you get to the point of engaging your vendor, showing them the results of the RSI™ is a powerful and clear-cut way to communicate that there are bad actors potentially targeting the vendor and you should work together to keep everyone’s data safe.
By leveraging both CRQ and RSI™, you can make more informed decisions around your third-party vendor’s cyber risk and take appropriate action to protect company and customer data.
Now that you know how to navigate third-party vendor cyber posture properly, go a step further and ramp up your digital supply chain defense with our Ultimate Guide to Building a Third-Party Risk Program.