It really depends on the regulatory concerns and size. For example, if you’re a part of a large company with enough regulatory concern that it’s important to start your own program, the best place to start is in finding a GRC platform, such as Onspring.
If you’re managing vendors, vendors have the same contact info as your family or your customers: names, phone numbers, email addresses, etc. So, you need to have an organized place to store that information in an easy-to-digest format. Spreadsheets are often the first format people look to organize this, but this involves manual updates, which will ultimately lead to bad data, poor data collection techniques, and so on.
The next step in formalizing your process, one that we’ve seen from our customers, is going from point-in-time checks—questionnaires, pen tests, etc.—to continuous data monitoring.
And this is extremely important. I’ll use COVID as an example. Looking at some of our ratings, there were many mid-sized companies that scored an A or a B prior to COVID, but when the pandemic hit, they didn’t have extensive remote access set up, so they were scrambling to quickly set it up. But this caused tons of exposures. There was an uptick in the amount of remote desktop protocol facing the internet, which meant that some attacker was able to just guess the right username and password and have complete control of a machine inside that company. So, it’s important to keep tabs on your data and security vulnerabilities at all times to proactively avoid problems like these when you’re forced to make a split-second decision.
It’s not enough to look once a year or mid-year because when a crisis like COVID occurs, you need to know that your vendors don’t pose a risk to your business. And if you are worried about your data, you need to take proactive steps to pull it away from that vendor and lock it or encrypt it. This way, no matter the likelihood of them getting breached, your data is safe. It also shows that vendor that you’re serious about risk because it could cost you and the vendor thousands of dollars in damage if action isn’t taken.
How do you get that early warning system? Continuous monitoring is what can give you that.