Libby Bevin

Cyberattackers and hackers try to exploit security vulnerabilities to gain unauthorized access to enterprise networks. Their intentions typically include installing malware, stealing sensitive data, launching supply chain attacks, or engaging in cyber extortion or espionage.

As the cyber threat landscape expands, security experts at IBM believe that “thousands of new vulnerabilities (are) likely to be reported in both old and new applications and devices,” and conclude that the “risk surface will continue to grow in 2021.”

It’s imperative to protect your organization with network vulnerability assessments to discover and seal up those vulnerabilities. To do this, vulnerability scans are indispensable tools.

A vulnerability scanner is an automated vulnerability assessment tool that searches for, discovers, and reports on potential vulnerabilities in your organization’s IT infrastructure. You can then address these weaknesses before they lead to operational disruptions, downtime, security breaches, ransomware attacks, zero-day exploits, and other cyber events.

You can conduct either external or internal vulnerability scans with different types of scanners. An internal vulnerability scan operates within your internal network firewalls to identify at-risk systems and potential vulnerabilities inside the network.

In contrast, an external scan is performed outside your network. It looks for gaps in firewalls that may allow malicious outsiders to break in and attack the network and its assets. Like external penetration testing, external scanning can detect open ports and protocols. An external scan also looks at specific IP addresses to identify open, exploitable vulnerabilities that jeopardize network security.

Differences Between Internal and External Vulnerability Scans

Target

Threats to the enterprise network can originate from both outside and inside the network. An external vulnerability scan looks into the network from outside to find, identify, and help close potential external entry points for unwanted intrusion. It starts by looking for weaknesses in the network’s firewall. It also tests the external network perimeter and outside IP addresses.

Conversely, an internal scan is designed to search the network’s internal components and find open vulnerabilities — that is, possible security gaps that bad actors may exploit.

Perspective

An internal vulnerability scan takes an insider’s perspective: someone who has access to your enterprise network and systems. For example, a disgruntled employee may be a security risk. Hence the scan is performed internally, replicating typical access to the network being scanned.

On the other hand, an external scan takes an outsider’s perspective and is conducted without access to the network.

Common Vulnerabilities Detected

The most common vulnerabilities detected during internal scans include:

• Missing third-party patches
• Unpatched, high-risk known vulnerabilities
• Common known vulnerabilities, such as vulnerabilities in open source software including the Heartbleed bug or the EternalBlue exploit

On the other hand, external vulnerability scans are beneficial for detecting:

• The use of unsecured transfer protocols by various enterprise services
• The use of deprecated services like TLS 1.0 or 1.1 to configure servers
• Named vulnerabilities

Both internal and external vulnerability scans are critical to your business. They each have distinctive benefits defining their place in modern-day cybersecurity.

What Are the Benefits of Internal Vulnerability Scans?

Internal vulnerability scans look at the enterprise IT infrastructure and security profile from an insider’s viewpoint — specifically, someone who is authorized to access enterprise assets. This someone could be an employee or a third party such as a vendor or contractor.

By probing the IT infrastructure in that way, internal scanners and scans provide the following benefits:

• Simulate the behaviors and actions of someone with standard privileges to identify vulnerabilities that could potentially impair business-critical systems, functions, and operations
• Validate permissions and privileges with the respective access of insiders
• Identify at-risk systems and prioritize vulnerability remediation
• Provide useful insights to improve patch management and security management processes
• Fix vulnerabilities to improve compliance with regulatory requirements or security standards such as HIPAA, PCI DSS, or ISO 27001/27002

You can perform either credentialed or non-credentialed internal scans. Credentialed scans reveal information about vulnerabilities that an outside attacker can exploit via a phishing attempt or malware.

Non-credentialed scans show what kind of network information a rogue in-house insider can obtain without the designated privileges. Both types of scanning processes can be beneficial for your organization since they expose different kinds of vulnerabilities and threats.

What are the Benefits of External Vulnerability Scans?

An external vulnerability scan is conducted from outside the enterprise network (that is, without access to the network). These scans target your network’s external IP addresses and detect open ports and protocols to identify security gaps.

Like internal scans, external vulnerability scans are proactive rather than reactive. That’s why these scans should also be a part of your cybersecurity program. They offer the following benefits:

• Help verify the security posture of your externally facing services
• Show known weaknesses in network structures that could lead to a breach
• Reveal the most significant threats and risks in your enterprise network
• Identify new devices or services that may present new threats or weaknesses to the enterprise

Make ZenGRC Part of Your Compliance System

ZenGRC provides a wide range of capabilities to help you streamline your vulnerability management program. It’s a single source of truth repository that features control frameworks, risk registers, customizable readymade templates, automation features, and built-in integrations.

Automated workflows document tasks and drive activities to completion. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption across your enterprise.

Schedule a demo to see how ZenGRC empowers security teams to proactively identify threats and risks, protect the business, and minimize loss events.

2020 was a landmark year for data breaches. This year will likely be no different.

More than 8 billion records were exposed in just the first quarter, a 273 percent jump over the same period from 2019. By the end of Q3 2020, a staggering 36 billion records had been exposed. By end of the year, data breaches had struck high-profile organizations including SolarWinds, Facebook, Microsoft, and the U.S. Department of Defense.

And although 2020 was dubbed “the worst year on record,” 2021 seems to be worse. By October, the number of publicly-reported breaches had surpassed 2020 figures by 17 percent.

That’s a lot of data leaking away from corporate control. In this post, we’ll explore the idea of data leakage, its common causes, and how companies can work to prevent such incidents.

What Are the Risks of Data Leakage?

A data leak is not something to be taken lightly. Let’s talk about the potentially severe consequences of a data leak.

• Loss of Sensitive Data

  If a breach leads to the loss, compromise, or theft of sensitive, critical, or secret data, the consequences can be devastating for the data owners and the company.

  For instance, if the data is Personally Identifiable Information (PII), its loss may result in identity theft. If healthcare data is compromised, it may affect the medical care a patient receives.

• Financial Losses

  The average cost of a data breach in 2021 has risen to a staggering $4.24 million. A breach can bring substantial financial harm to the affected organization.

  Breach investigation, incident response, cybersecurity measures, and victim compensation all cost money, and usually lots of it. A breach can also increase the costs of insurance and affect compliance with regulatory standards. Ultimately, a firm can experience decreased share price and market valuation.

• Reputational Damage

  A data breach often results in bad media coverage, which can devastate the organization’s reputation and brand value. It may lead to a loss of customer trust and loyalty, resulting in increased customer churn. In the long term, reputational damage can hurt the company’s ability to attract new employees, customers, and investments.

• Operational Downtime

  A data breach can disrupt business operations and cause downtime, leading to revenue and productivity losses. It can also drive up costs for overtime, system repairs, data recovery, and the like. It may also affect the supply chain, resulting in delays, additional fees, or fines.

• Legal Fees and Regulatory Penalties

  Legal expenses and regulatory penalties can add up quickly if a data breach results in a class-action lawsuit or regulatory enforcement.

  In 2017, Equifax suffered a massive data breach where hackers stole the personal data of 145 million customers. In 2019, the company agreed to pay $575 million for a settlement with the Federal Trade Commission (FTC). It also agreed to pay $300 million to a fund to provide affected customers with free credit monitoring services.

4 Common Data Leaks in 2021 (And What Causes Them)

1. Technology

   Insecure devices, unpatched software, open software vulnerabilities, and a lack of encryption are common causes of data breaches. Misconfigured software settings could also expose sensitive or confidential information, such as:

   • Customer records (names, addresses, or Social Security numbers, for example)
   • Employee records
   • PII
   • Healthcare information
   • Financial information, such as credit card numbers
   • Business secrets
   • Intellectual property

   Lost or stolen devices containing sensitive information can also result in breaches.

2. People

   Many organizations assume that breaches are the result of malicious outsiders. This is wrong. According to a 2020 survey, negligent insiders and human error accounted for 62 percent of cyber incidents in organizations.

   Employees can inadvertently increase the chances of a major data breach in the organization when they:

   • Send information to the wrong person
   • Upload data to an unsecured location
   • Access company files through an open WiFi network
   • Use recycled, default, or weak passwords
   • Fall victim to a phishing scam or social engineering attack

   Per another survey, malicious insider attacks are also on the rise, accounting for 14 percent of security breaches. Employees or vendors may intentionally misuse their access credentials to steal company data for financial gain or sabotage the business.

   The risks of data breaches due to people are higher than ever. Employees are 85 percent more likely to leak sensitive files now than they were before COVID-19 due to the implications of remote work. In 2021, 33 percent of data breaches are expected to be insider threat-related.

3. Supply Chain Attacks

   Supply chain attacks often result in data breaches with far-reaching impacts.

   In the SolarWinds Orion attack of 2020, threat actors slipped malicious code into the company’s software. The code enabled the attacker to compromise the software at the source, and consequently attacked all organizations using SolarWinds software. Thus, one single attack gave the hackers access to the data of all victim organizations.

4. Cyberattacks

   Many malicious data breaches occur due to cybercrime or cyberattacks. The most common methods used by hackers to steal enterprise data are:

   • Malware: Bad actors install ransomware or spyware on victims’ devices to spy on them, steal data, or demand ransoms after encrypting their data.
   • Phishing: Attackers pose as genuine organizations to fool victims into parting with sensitive data.
   • Brute force attacks: Hackers work through multiple user name and password combinations to find one or more combinations that can give them access to victim devices, and ultimately, their data.

How Can I Avoid Data Leaks? 5 Preventative Measures

By taking the steps below, organizations can prevent data leaks and avoid becoming victims of clever hackers or sophisticated cyber criminals:

1. Strengthen Cyber Defenses

   In today’s breach landscape, strong cyber defenses are absolutely critical. Every organization must protect its networks and assets with robust cybersecurity and digital risk protection programs that include:

   • Firewalls to block malicious external programs from infiltrating the network and accessing data
   • Antivirus, anti-spam, and anti-malware programs on all devices
   • Endpoint detection and response (EDR) solutions
   • Automated vulnerability scans and manual penetration tests
   • Robust bring your own device (BYOD) security policies to protect personal devices containing sensitive data
   • Strong password policies and multi-factor authentication
   • Protective measures to secure data backups

   In addition, work with vendors and contractors to assure they have also implemented cybersecurity measures for preventing third-party data breaches.

2. Regularly Patch and Upgrade All Software

   Software vulnerabilities are a common cause of data breaches, so it’s vital to regularly patch and update all enterprise software. This is especially important for third-party and open source software since research has found that vulnerabilities in their source code are responsible for 16 percent of data breaches.

3. Encrypt Data

   Encryption is vital to prevent hackers from accessing or reading sensitive corporate data. All private, sensitive, and classified information should be encrypted, whether it’s at rest or in transit.

   It’s also important to encrypt all devices, including mobile devices, wireless networks, routers, and entire disks — not just a few files. This way, even if a malicious entity accesses, duplicates, or steals the data, the attacker won’t be able to read it. That will help to minimize damage.

4. Improve Employee Security Awareness

   Since careless insiders are a primary source of data breaches, enterprises must minimize the insider threat problem. Hence employee security awareness is crucial. The cybersecurity awareness program should train employees on all these critical cyber hygiene aspects:

   • How to detect ransomware or phishing attacks
   • Social engineering and how they can avoid becoming a victim
   • The importance of using strong, unique passwords
   • The consequences of leaving devices unattended and using insecure WiFi networks or personal devices
   • The role of access management in preventing unauthorized access
   • Best practices and policies for email and remote work

   It’s also important to monitor “red flags” that may indicate insider security threats to data. These include employees who:

   • Work outside scheduled work hours
   • Log in from different locations or devices
   • Copy large amounts of data to removable drives or personal devices
   • Exhibit signs of personal problems that may indicate deeper financial troubles

   User behavior analytics (UBA) and security information and event management (SIEM) systems can help security teams proactively spot and address insider threats to data security.

5. Dispose Data Properly

   Data thieves can also retrieve data from old devices and outdated documents. That’s why safe data disposal and record retention policies are crucial to protect data and prevent data theft.

   Enterprises must safely store paper documents and assure that only authorized personnel can access them. Old records must be shredded, the contents of old devices such as hard drives and portable storage media must be removed, and old files must be deleted from on-premises and cloud backups.

ZenGRC Can Help Prevent Data Leakage

Data breach prevention starts with understanding your risks. Expose evolving threats, track risks across your enterprise, and see where risks are changing with ZenGRC.

ZenGRC is an integrated governance, risk, and compliance platform that can help you manage your security risks and policies with ease. Minimize business exposure and the risk of data breaches with enhanced visibility into your risk environment.

Its software solutions provide a single source of truth to manage all documentation. Automated features track workflows and due dates so risk managers can focus on the bigger picture.

Schedule a demo today to see how ZenGRC can benefit your business.

The International Association of Privacy Professionals (IAPP) defines privacy as “the right to be let alone, or freedom from interference or intrusion.” Many people and cultures consider privacy to be a fundamental right, the foundation upon which many other human rights are built and recognized.

Information privacy is specifically the right of a person to have some control over how his or her personal information is collected, stored, or used. There are many ways to infringe on information privacy in today’s age of information technology, and protecting privacy is a complex endeavor.

As technology becomes more sophisticated and invasive, many organizations now struggle to protect information privacy — the loss of which can have catastrophic effects, both on the individuals who own the information and on the organizations trying to maintain privacy. As a result, organizations, regulators, and governments are increasingly focused on privacy protection laws and regulations.

To be compliant with these laws and regulations, organizations must identify and manage privacy risk. For this, they must assess how they collect, use, share, and maintain personally identifiable information (PII). This is where a privacy impact assessment (PIA) comes in.

What Is the Purpose of a Privacy Impact Assessment?

A PIA helps to identify, assess, and manage privacy risks that could arise from projects, systems, strategies, policies, or business relationships. A PIA enables an organization to analyze how it collects, uses, and maintains electronic information. It also evaluates privacy in the organization’s information management systems and collections. To this end, a PIA identifies:

• The risks of collecting, maintaining, and disseminating personal data
• An organization’s existing protections (or the lack thereof) to reduce privacy risks
• Compliance with applicable privacy-related regulatory or legal requirements
• Options for PII owners to provide consent for data collection

A PIA demonstrates that the enterprise has consciously incorporated privacy protections and controls throughout the development lifecycle of an information system, device, software module, or program that processes personal information. It provides documented assurance that the potential privacy issues in these systems have been identified and addressed adequately.

For instance, in a software development lifecycle (SDLC), a PIA enables system owners and developers to assess privacy, determine how the project might impact the privacy of individuals, and understand whether privacy protection objectives could hinder the project’s objectives. Such assessments can be carried out during the early stages of the SDLC and multiple times throughout the process.

Who Should Do a Privacy Impact Assessment?

A PIA — and a privacy program in general — is vital for organizations that collect or have access to a large amount of sensitive, private, or personally identifiable information. In this type of self-assessment, the organization assesses its internal processes to determine whether it can adequately protect the privacy of individuals whose data it collects, processes, or stores.

Under the E-Government Act of 2002, all U.S. federal agencies must conduct PIAs for all programs and information systems that collect PII. The law also mandates that a PIA should be completed when the agency:

• Develops or procures a new technology or system that handles or collects PII
• Revises or modifies an existing IT system
• Issues a new or updated rulemaking that affects PII

By conducting a PIA, these government agencies can demonstrate that they’re committed to protecting the privacy of PII and that they conform with applicable regulatory or legal requirements for privacy.

It’s not just federal agencies that can benefit from a PIA. Any organization that collects or processes PII about its customers, clients, business contacts, employees, and the like can benefit from a PIA.

With an increasing focus on data protection and individual privacy, CIOs should assure that their organizations don’t indiscriminately collect PII or hold it indefinitely. Instead, they must implement robust processes and safeguards to collect data only for specific purposes, inform users about the reason for collection, and delete the data when it is no longer required.

Organizations that do business with the European Union (EU) or that have data stored in the EU must conduct a PIA to comply with the General Data Protection Regulation (GDPR). The GDPR stipulates that organizational systems and processes must have data protection and privacy embedded (privacy by design) from the beginning of a project.

Whether you simply want to protect your business or need to meet regulatory requirements, a PIA can help you meet your objectives. It provides a strong starting point to design and implement the necessary processes.

When Should You Do a Privacy Impact Assessment? How to Know if You Need a Privacy Impact Assessment?

In general, your organization should do a PIA if any of the below conditions are true:

• You collect, use, and store PII about individuals, such as customers, vendors, or employees
• You possess information that is considered sensitive, such as patient records or financial data
• You are creating new information systems to store and manage PII, such as when converting paper-based records to electronic systems
• You have security systems and controls to protect private or sensitive information, but they’re undergoing changes that could potentially create new privacy risks or lead to privacy incidents. For example:
  • When a new technology could create a more open environment for data exposure that did not exist before
  • When system modifications will change information from anonymous to identifiable
  • When databases are merged to aggregate data but end up creating new privacy concerns
• If a system change could create new risks to civil rights or liberties
• If vendors, suppliers, or other third parties have access to PII that you maintain and are at risk of data breaches or cyberattacks
• When business process changes result in the disclosure of information in identifiable form

What Are the Possible Consequences of Not Performing a Privacy Impact Assessment?

A PIA acts as an “early warning system” that shows you the gaps in your organization’s privacy processes and controls. These gaps may lead to compliance and regulatory issues or damage your reputation. You may even lose customers and business, which can harm your finances.

If you don’t conduct a PIA, you can’t prove to regulators, customers, or the public that you take privacy seriously, much less that you have strong privacy controls in place. Without such evidence, your organization cannot earn the trust or confidence of its stakeholders, which could hurt its reputation and financial health.

One of the biggest American credit rating agencies, Equifax, was hacked in 2017. Hackers stole the personal information of 140 million customers, and the incident cost Equifax $1.4 billion in security upgrades.

Equifax is one of the most famous incidents involving a massive breach of PII, but it is by no means an isolated one. By the end of September 2021, the number of data breaches had already surpassed the total for 2020 17 percent. Each breach costs on average $4.24 million, which is 10 percent more than the 2020 cost of $3.86 million.

By conducting a PIA and a cybersecurity risk assessment, you can identify control gaps that create privacy risks or lead to privacy events similar to Equifax. These privacy risks could disrupt operations, require costly system modifications, lead to identity theft, and increase your vulnerability extortion demands.

By identifying and fixing those gaps, you can avoid embarrassing, costly, or business-threatening privacy mistakes.

Is There a Difference Between a Privacy Impact Assessment and Privacy Risk Assessment?

Numerous overlapping terms are used in the privacy world. A privacy impact assessment is often referred to as a privacy risk assessment, with many people using them interchangeably.

The EU’s GDPR uses the term Data Protection Impact Assessment (DPIA), which is covered in Article 35. It specifies that a DPIA is required whenever data processing may create a high risk to the rights and freedoms of individuals.

The Federal Trade Commission (FTC) and other government agencies in the United States use the term PIA to specify how PII is collected, used, shared, and maintained by government agencies. It arose from the E-Government Act that applies to all government agencies. It’s also used by private sector firms for similar initiatives.

Perform a Privacy Impact Assessment with ZenGRC

ZenGRC is a governance, risk, and compliance platform that can help you manage all of your privacy protection initiatives. Perform a privacy assessment using ZenGRC’s out-of-the-box features. Its single source of truth repository centralizes all documentation for easy retrieval at audit time.

ZenGRC streamlines evidence and audit management for all of your compliance frameworks. Dashboards and insightful reporting provide visibility to where you are compliant and where you fall short.

Automated workflows and reminders allow risk and compliance managers to assign and track tasks to completion with minimal effort. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption within your enterprise.

Contact us today for a demo of ZenGRC.

Digital transformation has created enormous opportunities for businesses to grow and prosper. It has also brought great risk, foremost from criminals armed with sophisticated cyber-attack tools.

To ward off those attackers, and to keep critical infrastructure and data safe, organizations must protect themselves with the right tools, technologies, and procedures — but first the organization must understand where it is vulnerable; and that is where cyber situational awareness comes in.

Cyber situational awareness is your understanding of the IT environment and the cybersecurity threats and vulnerabilities confronting that environment; as well as anticipating the potential consequences. Awareness enables enterprises to get a holistic, real-time view of cyber threats, understand their security profile, and respond appropriately to a security event.

Effective cyber situational awareness requires both people and technology. Technology like cybersecurity tools and automation software allows organizations to collect, analyze, and respond to threat data. But people are also crucial because they’re the ones who use the tools, interpret the data, use tools, and make decisions to strengthen cyber defense.

What Are the Benefits of Cyber Situational Awareness?

Strengthen Cyber Defenses

Cyber situational awareness empowers organizations to understand current risks and anticipate future ones. Organizations can then design or identify the required solutions to strengthen their cybersecurity posture and improve their risk management program.

Protect Organizational Assets

By anticipating future adverse events, leaders and decision-makers can develop effective countermeasures to protect themselves, their IT assets, and their customers and stakeholders from cyber-attacks such as malware and data breaches.

Mitigate Human Weaknesses

These figures show how humans are a critical weakness in cybersecurity:

• 66 percent of organizations believe that insider attacks are more likely than external attacks;
• 57 percent feel that insider incidents have become more frequent since 2020 (particularly since the onset of the pandemic);
• 59 percent of IT leaders expect insider risks to increase over the next two years.

The potential for human error is high, and these errors could lead to severe damage. To prevent such errors (or at least to catch them early) cyber situational awareness is crucial.

Cyber situational awareness enables organizations to understand threats from employees, ex-employees, and even third-party stakeholders. Equally important, it sets the stage for designing appropriate threat response and risk mitigation strategies.

What Are the Key Elements of Cyber Situational Awareness?

The modern cyber threat landscape is vast, complex, and constantly growing. Organizations require more than reactive cybersecurity operations and stand-alone tools for intrusion detection or endpoint protection to stay ahead of the bad guys.

A lack of real-time and relevant information about threats and threat actors, and a poor understanding of your own cyber situation, can be particularly dangerous. That cyber situational awareness must be improved on three key fronts:

Network Situational Awareness

Once upon a time enterprise networks were much less complex than they are today. They had closely defined perimeters and on-premises systems; and didn’t have to deal with the risks created by remote workers, BYOD devices, cloud-based assets, or third-party access. All of this has now changed.

Today the enterprise network no longer has a defined perimeter, and the number of threats in the network environment has exploded. To prevent these threats from damaging enterprise systems or data, comprehensive network situational awareness is crucial. It should include multiple aspects, including:

• Understand the structure of the network;
• Regularly inventory and continually manage all assets and configurations;
• Implement robust patch and upgrade management;
• Perform routine vulnerability auditing to find vulnerabilities before bad actors can exploit them;
• Improve incident awareness, and share this information across the organization and with relevant stakeholders.

Threat Intelligence

New threats, vulnerabilities, and threat actors are emerging every day, so organizations must scale up their threat awareness. Further, threat awareness must include up-to-date knowledge of both external and internal threats. And for this, threat intelligence is vital.

Actionable threat intelligence provides contextual, real-time threat information that empowers organizations to prevent, identify, prioritize, and mitigate cyber-attacks.

To maintain high threat awareness in the modern-day threat landscape, enterprises must:

• Identify and track all internal threats, including suspicious behaviors;
• Identify, track, and stay current on external threats;
• Participate in information sharing communities to stay updated on new and emerging threats.

Mission Awareness

Cyber situational awareness is incomplete without mission awareness, which we can broadly define as an awareness of the organization’s mission or business, and how threats and countermeasures fit into the perspective or context of this mission. To start with, this requires developing a comprehensive view of the critical mission dependencies to operate in cyberspace successfully.

By understanding these dependencies, the organization can:

• Respond appropriately to a security event or crisis;
• Triage, or prioritize, security incidents as per their impact on the organization’s mission or business;
• Anticipate threats and risks by conducting risk and readiness assessments;
• Implement informed defense planning to mitigate future events;
• Conduct post-event forensic analysis to identify and address gaps in the security posture, and to minimize the chance of repeat events in future.

How Can I Improve My Cyber Situational Awareness?

Ongoing and robust cyber protection requires cyber situational awareness at every level of the enterprise. A tactical and on-the-ground understanding of threats is critical for day-to-day security.

It’s also crucial to develop strategic and operational cyber situational awareness. Senior leadership should understand the potential impact of a security event on the organization’s ability to execute its operations.

To achieve this level of situational awareness, lower-level details must be summarized and correlated to the business context. It’s also important to look for information about:

• Indicators of compromise (IoC);
• Threat actors;
• Tactics, techniques, and procedures (TTPs);
• Threat trends.

The right tools can help improve visibility into the threat landscape and improve situational awareness by tracking:

• Enterprise devices (endpoints), processes, applications, and users (both authorized and unauthorized users);
• How authorized assets serve the organization, and how critical they are;
• Known vulnerabilities on these assets.

In addition to leveraging tools for:

• Threat detection and management;
• Network management;
• Incident reporting;
• Threat intelligence sharing;
• Risk monitoring.

Enterprises must also integrate information and contextualize it to create a clear picture of what is versus what should be. For this, a robust system for situational awareness can be beneficial.

Finally, organizations should assure that information sharing happens regularly and at every level. Creating awareness about threats and vulnerabilities should flow from security and IT operations teams to employees to provide ground-level situational awareness.

At the same time, empower employees to share information with security stakeholders via incident reporting for strong threat mitigation. Cybersecurity awareness yields dividends when you can prevent chaos, rather than react to it.

Mitigate Cyber Risks With ZenGRC

Improve your organization’s cyber situational awareness and control cyber risks with ZenGRC. Leverage its single source of truth to centralize activities for risk management and mitigation.

Manage information security risk across the enterprise, prioritize concerns, and take quick actions to address vulnerabilities before bad actors exploit them. ZenGRC can help you mitigate business exposure and maintain a consistently strong cybersecurity profile. Learn more about ZenGRC.

All organizations rely on vendors to function in today’s dynamic landscape while achieving peak operational efficiency, cost-effectiveness, and economies of scale. A growing third-party network can yield significant benefits for organizations — but it also results in greater risk.

A robust third-party risk management program (TPRM) is crucial to mitigate that risk and maintain business continuity; and a critical component of that program is understanding which providers pose the most significant “threat criticality.” This ranking system can be achieved with vendor tiering.

Vendor tiering can help you optimize your vendor risk management program, strengthen cybersecurity, and create a more resilient organization.

What Is Vendor Tiering?

Vendor tiering, sometimes known as a tiering assessment process or simply a tiering assessment, is the practice of identifying vendors and categorizing them based on risks they bring to an organization.

Not all threats are created equal; neither are all third-party vendors. Each vendor presents different threats and has a different level of risk and threat criticality. Vendor tiering allows you to understand these differences by separating vendors into different “threat tiers” such as low-, medium-, high-, and critical-risk.

This tiering process can guide your risk management strategies. It helps you to focus vendor risk assessment and mitigation efforts on the third parties that pose the most critical risks.

Should I Tier My Vendors?

Yes. With vendor tiering, you can group vendors efficiently to distribute your risk remediation efforts and strengthen your cybersecurity posture.

Tiering vendors is critical if your vendors can access your systems or data. That access introduces the possibility of supply chain attacks, which you can mitigate if you know which vendors have such access and their threat criticality level.

Without question, industries that generate and store sensitive or mission-critical data should implement a vendor tiering process as part of their third-party risk management program. This includes highly regulated sectors that come under the purview of legal and regulatory standards such as:

• Health Insurance Portability and Accountability Act (HIPAA)
• The Payment Card Industry Data Security Standard (PCI-DSS)
• California Consumer Privacy Act (CCPA)
• General Data Protection Regulation (GDPR)
• Sarbanes-Oxley Act (SOX)

Such industries include healthcare, financial services, utilities, and technology, to name a few. These industries are very attractive to cyberattackers and hackers who often attack through vendor networks, systems, or software. A vendor tiering process helps an organization differentiate processes and controls for low-risk versus high-risk vendors.

The Benefits of Vendor Tiering

Although vendor tiering cannot guarantee total coverage of the vendor landscape, it does improve your chances of identifying, categorizing, and minimizing overall vendor risk. A consistent tiering assessment can streamline the risk management process since it is based on solid data and current facts rather than assumptions or gut feelings.

Vendor tiering also helps to streamline regulatory compliance management. Organizations can group, and then scrutinize, vendors by specific risk assessments required. So vendors that need GDPR or HIPAA assessments can be grouped as Tier 1/critical-risk or Tier 2/high-risk, while other vendors can be grouped Tier 3/medium-risk, Tier 4/low-risk, and so forth.

Finally, since vendor tiering focuses on key risk factors with the biggest possible effect on the organization, it enables security teams to:

• Better identify the most severe risks
• Assess these risks based on criticality
• Avoid wasting risk management resources on low-risk vendors
• Implement effective mitigation plans for high-risk vendors

Top 3 Effective Vendor Tiering Strategies

Start vendor tiering by finding the answers to these questions:

• Which vendors work with your business?
• Do you have a list of known vendors from the procurement department?
• Have you updated your vendor register?
• What goods or services do the vendors provide?

If you work with hundreds or thousands of vendors, you may not be able to assess all vendors regularly. You should, however, aim to understand as many as you can to minimize the risk.

Don’t just assess vendors by financial value or number of transactions. Instead, try to understand your entire vendor landscape and the associated risks that could significantly impact your organization.

Here are three effective strategies to get started.

1. Implement Manual Tiering

   A manual tiering process means you manually sort vendors into tiers based on various risk factors that could affect your organization. One factor could be contract value, but this shouldn’t be the only guiding principle to create risk tiers. Also consider factors like:

   • Types of data that vendors handle
   • Criticality of the data
   • Level of access to your systems, data, or customers
   • Vendors’ compliance certifications (or lack thereof)
   • Possible harm on your reputation if vendors are attacked, or if you are attacked through them

   If you lack the resources to do thorough manual tiering, you can leverage automation. Implement a questionnaire-based tiering where an algorithm assigns a criticality rating to each vendor based on the vendor’s responses to your security questionnaires.

   Don’t just rely on and trust the vendors’ responses. Map these responses to existing cybersecurity frameworks such as NIST, CIS, ISO 27001, or COBIT, to evaluate their actual compliance against each standard.

   Vendor risk data must be collected for both methods (manual or automated), followed by a risk analysis to evaluate each inherent risk and residual risk based on its severity and likelihood of exploitation. The analysis should guide risk mitigation or remediation strategies.

2. Implement a Scoring System

   Before implementing a risk remediation plan, you must determine which vendors should be assigned to the critical or high-risk categories and which should go into medium or low-risk categories. Do this by applying security ratings to rank your vendors. You may assign classifications, such as Informal, Trusted, or Strategic.

   Assign scores to each vendor based on multiple attack vectors or threats:

   • How likely is the vendor to be attacked through that vector?
   • How high is the risk?
   • What is the potential impact for your organization?

   Evaluate these ratings periodically to understand if a vendor is suddenly bringing new vulnerabilities into your ecosystem (for example, because the vendor acquired a new business or started outsourcing part of its operations). Ratings will also simplify due diligence procedures when you need to onboard new vendors or service providers.

3. Communicate with Vendors

   Not all vendors take security seriously. So communicate with them regularly and set the right expectations from the beginning of the relationship.

   Convey all risk information to vendors, especially if they fall into the high-risk or critical-risk categories. Assess risk controls to identify which ones are acceptable, which are opportunities for improvements, and which ones must be established.

   Set expectations for security and confirm that the vendor acts quickly to address any open risks. Also, check which certifications the vendor might need to minimize risk to your organization.

   Let vendors know if you will audit them, and make site visits. Communicate data breach procedures that will activate if they experience a disruption or failure in services, and what liabilities the vendor might face for a breach.

   Follow these best practices to avoid communication lapses, improve collaboration, and mitigate risk over time:

   • Clearly state the requirements, frequency, and format for threat reporting
   • Identify a point of contact in your organization to manage vendor communications
   • Share your business continuity and disaster recovery plans in case of a cyber event
   • Set clear service level agreements (SLAs) for all stakeholders
   • Specify termination costs

ZenGRC is Your Best Vendor Management Tool

Streamline your third-party risk management process with ZenGRC. With a range of compliance checklists, workflows, metrics, and visualizations, this integrated platform can help you assess risk across your vendor landscape.

Automate security questionnaires, simplify due diligence, and improve third-party risk visibility through heat maps and dashboards. You can also continuously monitor risks and take fast actions to mitigate the impacts or business exposure.

Contact Reciprocity today for a free ZenGRC consultation.