Cyber Security Awareness month
Well it’s officially October which means its Cyber Security Awareness month and I know what you’re thinking “not another piece of sales material disguised as ‘awareness’ banging on about how AI will revolutionise the security of my business” – absolutely not!
Whilst AI does help with prevention and detection tooling that you should have in place. The item I really wanted to raise ‘awareness’ of is 3rd party risk. More and more we’re outsourcing or partnering our IT and business needs, and guess what – so are the companies you’re outsourcing to.
If we look at the headlines over the last few years we’ll actually see that a lot of the breaches and cyber incidents stem from a third party.
The NHS had to cancel thousands of patient appointments and procedures across multiple hospitals, not because they’d suffered a cyber incident but because they had a shared provider who themselves were the victim of a ransomware attack.
More recently we had over 20 UK train stations impacted by an issue with their shared provider. This meant that Wi-Fi services for passengers had to be taken off-line.
Ok, so what do I need to be aware of exactly?
Well this is two fold really, firstly what kind of a risk are you to your customers? And how risky are your suppliers?
In both cases the answer is to the problem is undergoing a risk assessment. Obviously we can’t cover every aspect of a good risk assessment here but some key things to focus on are:
- Security Frameworks and accreditations – organisations that take their security seriously and/or want to demonstrate their commitment to providing services to their clients securely will structure their policies and processes around an established security framework such as Cyber Essentials or ISO 27001 – I’d argue you should aim for both, ISO is more process orientated and non-prescriptive where as Cyber Essentials is technical and control specific so they compliment each other well.
Another key point about security frameworks and accreditations is a recurring assessment. Organisations should have to go through an audit and assessment to validate that their policies, processes and controls are actually aligned – like it or not adopting a framework is seldom ‘one n done’ and a small amount of drift is expected. So having an opportunity/excuse to under go an audit and assessment to keep on track is time well spent.
- Data Locality & Sharing – What data is being held, where is it stored and is it shared with anyone else? It’s common for organisations to need to keep their data within certain geographical territories for legal or compliance reasons. So understanding what data your third parties is holding on your behalf and where they keep it is very important. Similarly are these third parties sharing your data with anyone else?
- Access Control & Identity Management – As organisations utilise more and more third party services the task of security the user accounts grows exponentially. E-mail addresses have become our online identity and research still shows we are reusing (sharing) passwords across multiple accounts for our own ease of use. So what’s your third party doing in this space? Do they enforce MFA right out gate, do they give you the ability to centrally manage this (tip – if the answer to either of these is ‘No’ but a comparable vendor does, strongly consider a switch)? Can you bring your own identity platform with? Federating something like Office 365 into your external services can bring additional security controls and monitoring to those services and simplify your user management.
The other consideration here is how organisations deals with validating user requests. Service Australia has recently reported a 440% increase in breaches that leverage social engineering. Essentially the bad guys are able to talk humans into believing they are someone they’re not just on information they can find publicly. This alone is an awareness and process problem.
- Vulnerability Management – Another recurring theme of breaches and cyber incidents is organisations using end of life or out of date equipment. So understanding if your organisation and/or your supply chain have equipment and systems in use that cannot be updated against new security threats and what their processes and time scales for identifying and addressing vulnerabilities is.
- Business Dependency, Impact & Continuity – Whilst outsourcing can be great for off-loading financial cost or cost of ownership. The impact of that system or service going down or having an issue is still felt by YOU. And if that service is customer impacting, YOU still own it.
It’s crucial to take stock of how dependant your organisation and your customers are on a particular vendor or service and explore options to mitigate outages and loss of data. Some of this will be down to the vendor from a technical aspect but how you can continue to operate will be down to YOU.
