"The big relationships might not be the biggest risk," Goldman says. The biggest suppliers are likely to have elaborate cyber security defenses already in place. "But if you look at smaller organizations, they don't have that same level of cyber security control," he says.
Once a company understands who all the vendors are, and which of them have access to sensitive data, a variety of tools are available to help assess the level of their security. For example, some companies are including security in the service level agreements with their suppliers, says Tim Prendergast, CEO at Evident.io, a cloud security company.
"We're seeing a movement toward requiring an agreement from the provider showing their commitment to security," he says. "They ask those providers to enforce similar controls on their partners. We're seeing a legal cascade of these contracts."
Vendors may be asked to do self-assessments, allow customer visits and audits, or purchase cyber insurance. Sometimes, a more thorough assessment is necessary. "We've seen a lot of companies perform audits on their service providers," says Ryan Spanier, director of research at Kudelski Security. "One large financial institution that we work with requires audits and gets to come onsite and run their own penetration tests and see where the data is and how its protected."
Smaller customers however, may not have that kind of clout. "They just require evidence of third-party audits, see the results and get to review them," he says. "Then they mandate that some of the things get fixed before they'll continue to do business with the company. You can also limit yourself to companies you know are doing a good job with security, which is tough, because there aren't many of them right now."
In addition, there are organizations that provide security scores. For example, BitSight Technologies and SecurityScorecard look at vendors from the outside, rating companies on how secure their networks are to attacks.
For deeper assessments, looking at vendors' internal policies and processes, Deloitte and CyberGRX have teamed up to do the reviews as well as ongoing assessments, saving vendors from responding to each of their customers individually. “Companies today need to approach third-party cyber risk as a business risk that needs to be continuously managed," says Jim Routh, CSO of Aetna. "The CyberGRX Exchange enables all companies to take this approach."
A couple of financial industry groups are doing something similar. In November, American Express, Bank of America, JPMorgan and Wells Fargo teamed up to create a vendor assessment service called TruSight. In June, Barclays, Goldman Sachs, HSBC and Morgan Stanley announced that they were taking an equity stake in the Know Your Third Party risk management solution from IHS Markit.
Sign up for Computerworld eNewsletters.