According to survey conducted by Deloitte in 2016, 87%of organizations have experienced disruptive incidents with the Third-Parties they have worked with. Another research done by Soha Systems found out that around 63% of breaches are because of Third-Parties.
How to Assess Third-party Risks:
Many Companies don’t conduct any assessment of the risk of Third-Parties, or sometimes they use age old questionnaire methodology like sending a lot of questions for Third-Parties to answer. Firstly, the questionnaire-based approach is very time consuming. Though there are so many online tools that simplify the process, but the answers got from questionnaire approach were not that reliable. Even if you continue with the assumption that all the questions answered by Third-Parties are correct to gather results quickly, there might be some cyber risks which are invisible to Third-Parties. These types of invisible risks can be detected by gathering cyber threat intelligence and by risk evaluation which companies like FireShadows can help.
Fortunately, there are platforms like FireShadows that gather third-party cyber risk data and provide a risk score or security rating for companies. The information gathering is done by a method called “passive scan” where non-intrusive methods are used, and company assets remain untouched. It is basically a hacker’s view of the Third-Parties external cyber risk. The OSINT (Open-Source Intelligence) data is collected from many feeds such as reputation services, hacker sites/forums, vulnerability databases, Internet-wide scanners, social media, paste sites, black markets, underground forums, etc. Information gathering should be done for the company of interest and any related third-party company.