Practical steps to reducing cybersecurity risks

Mark Lyndersay -
Mark Lyndersay -

BitDepth#1471

ON THURSDAY, the Caribbean Chapter of the International Information System Security Certification Consortium (ISC2) hosted a webinar on third-party risk assessment.

If you aren't a backroom cybersecurity professional working for a medium to large company or government agency, that's probably worth explaining.

Third-party risk assessments are a validation of vendors who will connect to a computer network, examining their certifications, compliance with ISO standards, doing background checks, reviewing contracts and doing due diligence that the business meets or exceeds your internal standards for data management and processing.

>

The process, to be effective, must be ongoing and managed to ensure that vendors meet required standards.

This is a commonplace requirement for multinational corporations that have ironclad standards for compliance, but far less common outside of data-sensitive businesses like banking and finance.

But the risks are the same for any business that outsources or extends its resource capacity by depending on third-party services from companies such as Google, Microsoft and Amazon Web Services (AWS) which provide a range of cloud-based services, applications and storage solutions for business use.

The subject is unsurprisingly on the front burner for cybersecurity professionals who have all, whether affected or not, looked on at the collapse of more than eight million Windows computers and some Microsoft cloud services when a tiny update from Crowdstrike went live and was automatically applied.

"If you use specific vendors for a large majority of these services that you execute in your organisation, that's critical, because you are exposing your organisation by putting all the eggs in a single basket," said Ricardo Fraser, vice-president of the ISC2.

"Risk management has to be holistic," said David Gittens, a cybersecurity expert from Barbados.

"You can't be selective, focusing on one area and not the next. It doesn't make sense to emphasise third-party risk compliance and you're not monitoring what's going on with them."

So in an organisation that is responsible for risk management and compliance?

"Typically it comes down to the chief information officer (CIO) and the board," said Jimmy McCollin, an IT veteran from Barbados.

>

"The board should have skin in the game. The CIO must have the responsibility if something goes wrong, but the board also has a responsibility."

According to Collin Burgess, a Jamaican IT risk mitigator, third-party risk assessments are being done by medium and large organisations and those that are subject to regulatory requirements.

These companies store more data, process more personal information such as credit cards and run the risk of losing business if they are compromised.

But Burgess warns there are many people who think that security is not important because it is not the core function of their business.

"For vendors, the benefit is the operational efficiency that it will add to your business," said Scofield Thomas.

"It would seem a challenge and a task to adhere to some of these procedures and practices, but it brings a level of efficiency to your business and enhances your reputation, so it's a win-win all around."

"Perhaps a vendor deals with a large customer and they demand a third-party risk review, and they have no choice," said Fraser.

"Caribbean vendors are not used to that, and they may not see it as economically feasible to meet required standards just for a single customer. But if you do it for one customer, you can use that assessment and that compliance certificate for other customers as well."

Third-party risk assessment is necessary for successful relationships with external vendors, but the process is ongoing, subject to periodic review and must be both mandated and managed by C-Suite management and board-level oversight. The process need not be driven by regulators, but there should be legal accountabilities.

>

The Caricom Secretariat announced a cyber-resilience project in March with a steering committee that's gearing up for consultations and a rather distant target of 2030.

That seems a rather casual approach to the threats facing the Caribbean, which has become something of a hacker's paradise over the last two years.

Jamaica's Data Protection Act mandates compliance, but, notes Burgess, "There is no map to tell you how to create cybersecurity defences, threat intelligence and incident response."

He compares that with the UK's National Cyber Security Centre, which has an agency (https://cstu.io/56abcf) that works with private sector companies.

Regional governments and businesses should look to international cybersecurity standards and practices, which include third-party vendor assessments to harden their cybersecurity vulnerabilities and a refreshed commitment to SME cybersecurity measures appropriate to their business profile.

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there.

Comments

"Practical steps to reducing cybersecurity risks"

More in this section