PARTNER RISK MONITORING

Monitoring the information security posture of your business partners is not a new concept. There are two prevalent approaches used today: (1) self-assessment questionnaires, and, for critical partners, (2) annual audits performed at a cost thousands of dollars per year per partner. There are obvious limitations to both. For the former, you cannot verify the answers provided by the partner, and for the latter, you only have information for that single point in time of the audit. A better approach would be to use a cloud-based service that can passively, empirically, and continuously monitor, analyze, and rate the cyber security risk level of your partners.

Business partners, such as law firms, advertising agencies, email houses, suppliers, and customers create two types of information security risks. First, you share confidential information with them which can be exfiltrated. Second, because you are electronically connected to many of them, attackers can pivot through a partner to attack you.

Methods to evaluate your partners’ information security posture have been limited to (1) self-assessment questionnaires which can be subjective and are difficult to verify, and (2) annual audits which cost thousands of dollars per partner and only provide you with an assessment at that specific point in time.

A better solution is a passive, cloud-based, data/event collection service that can provide empirical and continuous monitoring of your partners. Passive means no active vulnerability scans or penetration testing. Just passive data/event collection and analysis. The service may provide vulnerability scans and penetration testing as an option but only with the partner’s consent.

Ideally, each partner is analyzed and rated on a daily basis. Using modern big data technology like Hadoop, the service can gather and analyze billions of events every day. The rating for each partner is a function of such factors as volume, duration, severity, and confidence.

The solution must also provide a dashboard to easily communicate to you which of your partners need attention based on new events and trends. And you need the ability to drill down to understand the specific events affecting each partner’s overall rating.

There is actually another use case for this type of service. You can monitor your own company and compare yourself to your competitors!!

If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.