Security Experts:

UpGuard Automates Vendor Risk Management

Cyber resilience company UpGuard announced on Tuesday the launch of a new product designed to help organizations automate risk assessment for third-party vendors.

The new CyberRisk product scans each third-party vendor’s assets for cybersecurity weaknesses and assigns them a risk score based on UpGuard’s Cybersecurity Threat Assessment Rating (CSTAR) system.

UpGuard, formerly known as ScriptRock, has raised nearly $27 million since 2012, including $17 million in a Series B funding round last year. Several major data breaches discovered by the company in the past months showed the risks posed by third-party vendors.


The list of incidents includes a Republican Party contractor exposing the details of 198 million American voters, recruiting firm TalentPen exposing information on job applicants at security firm TigerSwan, a call center services provider exposing the details of Verizon customers, and Booz Allen Hamilton exposing U.S. military files. In all cases, data was leaked online due to unprotected Amazon Web Services (AWS) S3 buckets.

UpGuard’s CyberRisk solution aims to help organizations prevent such incidents byproviding detailed information on their third-party vendors’ security posture. UpGuard’s Cloudscanner analyzes billions of web properties every day in search of risk factors that could lead to data breaches.

The targeted vendor is then assigned a CSTAR risk score ranging between 0 and 950. This score takes into account several factors, including an organization’s size, infrastructure, asset configurations, exposure, industry trends, and device vulnerabilities.

Since the security firm’s automated scans cannot detect all potential weaknesses, CyberRisk provides integrated questionnaires that organizations can send to their vendors. The customer simply has to select which categories they want the questionnaire to cover and enter the targeted vendor’s email address. Once the vendor completes the questionnaire, the results of the assessment are stored in the respective company’s risk profile.

“Just as companies do background checks on prospective employee hires, it only makes sense that they conduct similar assessments of any third-party business partners before granting them access to their corporate data,” said Mike Baukes, co-founder and co-CEO of UpGuard.

“Unfortunately, many organizations still lack the processes and tools to conduct a comprehensive audit of internal and external factors affecting vendor risk. This is evidenced by the sheer number breaches occurring on a daily basis. This is an epidemic. Our CyberRisk product not only integrates both critical aspects, but we take it several steps further by providing our customers with clear remediation guidance to become truly cyber resilient,” Baukes added.

Related: Third-Party Cyber Risks a Rising Threat, Research Shows

Related: Thousands of Third-Party Library Flaws Put Pacemakers at Risk

Related: CyberGRX Partners With BitSight to Address Supply Chain Risks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.