Leading the charge to keep your organisation safe means expanding the risk boundaries. It means monitoring beyond your own websites, assets, and applications. You’re working with vendors daily who have access to your and your customers’ data. And you need to know that the data is secure.
Understanding the risk profile of vendor partners isn’t always straightforward. Really large vendors generally approach this issue by running their own security assessments and providing security statements to confirm their security controls. However, smaller vendors take a “when I have time” approach. We often hear accounts of businesses sending multiple security questionnaires to the same organisation – and the frustrating delays in getting them back, if they get an answer at all. This adds delays to vulnerability management processes and introduces more risk and uncertainty.
Furthermore, this compounds when you’re hoping to gain/retain your ISO 27001:2022 certification and are assessing your supply chain.
Introducing vendor domain audits
To solve this, we’ve built-in vendor domain audit scans into Glasstrail. These scans give you control over your automated vendor assessments and their timing, so you can see what external issues exist immediately and if they are material to you – on your terms.
The Glasstrail vendor domain scans are the goldilocks of scans – they combine practicality with accessibility, giving you the best of both worlds. These scans look for risks relating to the top level of the domain – like email security, breached accounts, website security of the root domain, certificate expiry and reputation checks.
From a practical perspective, the scans run on domains or sub-domains. Evaluating vendor risk with website scans is too narrow as they can leave critical risks unidentified. However, a fully-fledged external attack surface scan that you’d run on your own domain is too broad and complex to work with when making risk assessments of vendors (i.e. you probably don’t need all the detailed inventory for a vendor of all external facing assets, domain email contacts, cloud service tenants and related IP addresses in addition to breached accounts, certificate expiry etc). That’s why Glasstrail’s vendor scans resolve for high-level risks within vendor domains.
Every plan can run vendor domain audits, as these form part of your root domain count. Available today, Glasstrail’s vendor domain audits are ideal for any business wanting to run non-intrusive scans on their supply chain vendors and discover quickly what information is publicly available.
Ready to speed up your vendor risk reviews?
Vendor domain scans are now available in every Glasstrail account. If you're already a customer, log in and set up a new entity in the Scanning tab. Then, sit back for just a few minutes before seeing the results. Not using Glasstrail yet? Take a free 14-day trial, or get in touch for a demo to see it in action!